Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

AI Security

Securing AI-Generated Code: The New Risk Surface

40.73% of Copilot's suggested code contains a vulnerability, and one 2024 study found nearly 1 in 5 AI-recommended packages simply don't exist.

Jul 8, 20266 min read
Supply Chain Security

Securing SBOM storage and distribution in cloud environments

GitGuardian found 23.77 million secrets exposed on public GitHub in 2024 alone — an unprotected SBOM repository is the same mistake, just with your dependency tree instead.

Jul 8, 20267 min read
Open Source Security

The security risk of LLMs reviving abandoned open-source packages

USENIX Security 2025 found 19.7% of LLM code samples hallucinate a package name — and real, dormant packages carry the same blind trust.

Jul 8, 20267 min read
Supply Chain Security

When the Security Tool Is the Backdoor

CCleaner, tj-actions, and ua-parser-js show the same pattern: trusted tools with CI access became the attack, hitting 2.27M+ users and 23,000+ repos.

Jul 8, 20266 min read
DevSecOps

Why semantic versioning and release channels matter for security tools

A backdoor sat in xz-utils 5.6.0 and 5.6.1 for weeks before Andres Freund caught it — stable distro channels, not luck, kept it out of most production systems.

Jul 8, 20266 min read
Supply Chain Attacks

Software supply chain attack trends: what the public incident data shows

Sonatype tracked 454,648 new malicious packages in 2025 alone — over 1.2 million total since it started counting. Here's what three years of incident data reveal.

Jul 8, 20267 min read
Supply Chain Security

A vendor-neutral framework for software supply chain security tools

Supply chain tooling splits into four distinct categories with different failure modes — the xz-utils backdoor slipped past most of them for over two years.

Jul 8, 20266 min read
Supply Chain Security

Software supply chain attacks in 2026: what's actually changed

A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.

Jul 8, 20266 min read
Vulnerability Management

How task-scheduler RCEs become cryptomining botnets

Two chained Apache Airflow CVEs and a Rundeck YAML deserialization bug show how scheduler tools turn one flaw into unauthenticated RCE and persistent mining.

Jul 8, 20266 min read
AI Security

Vetting third-party agent skills before you install them

AI agent skill marketplaces run installed code with your full permissions and no sandboxing — VS Code's 2025 extension attacks show exactly how that gets abused.

Jul 8, 20266 min read
Application Security

Building Secure VS Code Extensions: A Developer's Guide

VS Code extensions run as trusted Node.js code with full disk and network access and no permission model to fall back on. Here is how to build one that does not become the next supply chain incident.

Jul 8, 20266 min read
Application Security

WebAssembly's security model: sandbox guarantees and the attack surface that remains

Two Critical Wasmtime sandbox-escape CVEs landed on the same day in April 2026 — proof that a wasm sandbox is only as strong as the runtime enforcing it.

Jul 8, 20267 min read
supply-chain-security (Page 13) — Safeguard Blog