supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
IronWorm: A Rust eBPF Rootkit Worm Hits the npm Supply Chain
IronWorm is a compiled Rust npm worm with a kernel-level eBPF rootkit, Tor C2, and OIDC-based self-propagation. It is the engineering ceiling of 2026 software supply chain attacks — and it carries no CVE.
Container security for Kubernetes and Docker
A practical glossary breakdown of container security for Kubernetes and Docker: the real risks, key benchmarks, and where code-scanning tools like Checkmarx fall short.
Stryker Wiper Attack: When Hacktivists Used Intune to Brick 200,000 Medtech Devices
An Iran-aligned group used a compromised admin account and Microsoft Intune to factory-reset roughly 200,000 of Stryker's devices in real time. The lesson is uncomfortable: your management plane is your biggest single point of failure.
Docker Hub malicious image detection
Docker Hub's open upload model has enabled real cryptojacking and phishing campaigns — here's how attackers hide malware in images and how to detect them.
PyTorch Lightning PyPI Compromise: A Software Supply Chain Attack Built to Drain ML Credentials
In April 2026, attackers pushed malicious versions of the lightning PyPI package and an npm intercom-client release, harvesting cloud, CI/CD, and GitHub credentials. Here is what happened and why ML tooling is now a prime supply chain target.
Software Development Lifecycle (SDLC) security
A secure SDLC needs more than periodic scans. See where Veracode's upload-and-scan model leaves supply chain gaps, and how continuous, provenance-aware security closes them.
Top 10 Azure security risks and prevention
Real Azure breaches — BlueBleed, ChaosDB, OMIGOD, Midnight Blizzard — trace back to storage misconfigs, identity sprawl, and exposed secrets, not zero-days.
Kairos Ransomware Hits Gregory Jewellers: 574 GB of Data Extortion at an Australian Luxury Retailer
The Kairos extortion group claims it stole roughly 574 GB from Australian luxury jeweller Gregory Jewellers. Here is what is verified, what the group's playbook tells us, and why pure data-extortion crews are the harder problem.
Terraform Cloud security integration guide
A practical breakdown of Terraform Cloud security: state file exposure, Sentinel/OPA policy gaps, Run Tasks trust risks, and drift monitoring.
Cost-Per-Verified-Finding: How Agentic AI Breaks Vulnerability Triage
Agentic AI can generate findings faster than any team can read them. The metric that survives that flood isn't cost-per-finding, it's cost-per-verified-finding. Here's why verification is now the bottleneck.
Introduction to Open Policy Agent and Rego
A concrete walkthrough of Open Policy Agent and Rego — how OPA evaluates decisions, a runnable policy example, and where it fits in supply chain security.
Pulumi security scanning best practices
Pulumi programs run as real code with live cloud credentials -- here's how to secure state files, dependencies, CrossGuard policy, and CI/CD.