Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Supply Chain Attacks

Protestware: what colors.js and faker.js taught the industry about maintainer risk

One unpaid maintainer sabotaged two packages with 20M+ weekly downloads in a single week. Here's what colors.js and faker.js reveal about single-maintainer risk.

Jul 16, 20265 min read
Application Security

Trojan Source: how Unicode bidi control characters hide malicious code in plain sight

CVE-2021-42574 scored 8.3 CVSS for a bug that isn't a parser flaw at all — it's Unicode's bidirectional text algorithm, weaponized against code review.

Jul 16, 20266 min read
Cloud Security

Azure Bicep IaC security fundamentals: secrets, module trust, and policy gates

A @secure() Bicep parameter still leaks in plaintext the moment it's written to an output — a well-documented gap most teams discover only after a deployment history review.

Jul 15, 20267 min read
Supply Chain Attacks

Lessons from the CircleCI 2023 secrets breach

A stolen session cookie bypassed 2FA and let attackers read secrets from live memory. CircleCI's own timeline shows what fast rotation actually requires.

Jul 15, 20267 min read
Application Security

Code injection risks in CLI tools and IDE plugins

A malicious npm dependency hid in event-stream for 8M downloads before detection. Developer tooling is a code-injection blast radius most teams never audit.

Jul 15, 20266 min read
Supply Chain Security

npm supply-chain attacks: typosquatting, dependency confusion, and postinstall malware

event-stream hid a wallet-stealing payload behind 8M downloads in 2018. Here's how typosquatting and dependency confusion actually work, and how to stop them.

Jul 15, 20266 min read
Application Security

React and TypeScript security best practices for 2026

A 2025 npm phishing attack hit packages with 2.6 billion weekly downloads. Here's how React and TypeScript teams reduce XSS, API, and dependency risk.

Jul 15, 20266 min read
DevSecOps

Securing Secrets and Environment Variables in GitHub Actions

A tag-pinned GitHub Action used by 23,000+ repos was rewritten to dump CI memory in March 2025 — here's how OIDC and SHA-pinning would have stopped it.

Jul 15, 20266 min read
Supply Chain Attacks

Anatomy of a malicious npm package attack

One phished maintainer, 18 packages, and billions of weekly downloads — how npm/PyPI supply chain attacks actually unfold, and the signals that expose them.

Jul 14, 20266 min read
Application Security

Why Node.js's vm module is not a security sandbox

Node's own docs warn the vm module isn't a security mechanism — vm2, built on top of it, still shipped two CVSS 9.8 sandbox escapes in 2023.

Jul 14, 20266 min read
Supply Chain Security

A four-surface framework for software supply-chain risk

Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.

Jul 14, 20267 min read
Open Source Security

Top open-source vulnerabilities in the npm ecosystem

Sonatype logged 512,000+ malicious npm packages in a year — a 156% jump. Here are the recurring vulnerability classes and how to catch them in CI.

Jul 14, 20267 min read
supply-chain-security (Page 2) — Safeguard Blog