Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1053 articles

Vulnerability Analysis

npm registry package hijacking incidents (CVE-2015-8858 era)

CVE-2015-8858 anchors a broader era of npm registry package hijacking — tar-extraction path traversal, left-pad, and weak account security explained.

Jan 4, 20268 min read
Incident Analysis

event-stream / flatmap-stream npm backdoor incident

How a trusted npm maintainer handoff let attackers plant a wallet-draining backdoor in event-stream, and what it still teaches security teams today.

Jan 4, 20266 min read
Vulnerability Analysis

ansi-regex ReDoS vulnerability (CVE-2021-3807)

CVE-2021-3807 is a ReDoS flaw in the widely-used ansi-regex npm package. Here's the impact, affected versions, CVSS/EPSS context, and how to fix it.

Jan 3, 20268 min read
Vulnerability Analysis

nth-check ReDoS vulnerability (CVE-2021-3803)

CVE-2021-3803 turned a niche CSS selector parser into an ecosystem-wide audit headache. Here's the real exploitability picture and how to fix it.

Jan 2, 20268 min read
Vulnerability Analysis

tough-cookie prototype pollution (CVE-2023-26136)

CVE-2023-26136: a prototype pollution flaw in tough-cookie hides deep in transitive Node.js dependencies. Impact, timeline, and remediation steps.

Jan 2, 20268 min read
Vulnerability Analysis

Express.js open redirect vulnerability (CVE-2024-29041)

CVE-2024-29041 lets attackers weaponize Express.js redirects for phishing. See affected versions, CVSS/EPSS data, and how to remediate fast.

Jan 1, 20267 min read
Industry Analysis

Third-party risk management for telehealth platforms

A six-step playbook for telehealth vendor risk management: inventory PHI flows, tier HIPAA business associate risk, run SCA on vendor SDKs, and monitor continuously.

Jan 1, 20268 min read
Vulnerability Analysis

http-cache-semantics ReDoS vulnerability (CVE-2022-25881)

CVE-2022-25881 lets attacker-influenced HTTP responses trigger catastrophic regex backtracking in http-cache-semantics, hanging Node.js services. Here's how to detect and fix it.

Jan 1, 20267 min read
Vulnerability Analysis

Python setuptools package_index ReDoS (CVE-2022-40897)

CVE-2022-40897 is a ReDoS flaw in setuptools' package_index.py that can hang CI pipelines when parsing crafted index pages. Here's how to detect and fix it.

Dec 31, 20257 min read
Vulnerability Analysis

urllib3 CA certificate verification bypass (CVE-2019-11324)

CVE-2019-11324 let urllib3 silently trust unintended CAs during custom certificate validation, undermining pinned-trust and mTLS setups.

Dec 31, 20257 min read
Vulnerability Analysis

urllib3 cookie/auth header leak on cross-origin redirect (CVE-2023-43804)

CVE-2023-43804 lets urllib3 leak Cookie headers on cross-origin redirects. See affected versions, severity context, and how to remediate fast.

Dec 30, 20257 min read
Vulnerability Analysis

PyYAML full_load unsafe deserialization arbitrary code execution (CVE-2020-14343)

CVE-2020-14343 shows PyYAML's full_load/FullLoader "safe" fix was incomplete, enabling arbitrary code execution. Here's the fix and how to detect exposure.

Dec 30, 20257 min read
supply-chain-security (Page 55) — Safeguard Blog