supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1053 articles
npm registry package hijacking incidents (CVE-2015-8858 era)
CVE-2015-8858 anchors a broader era of npm registry package hijacking — tar-extraction path traversal, left-pad, and weak account security explained.
event-stream / flatmap-stream npm backdoor incident
How a trusted npm maintainer handoff let attackers plant a wallet-draining backdoor in event-stream, and what it still teaches security teams today.
ansi-regex ReDoS vulnerability (CVE-2021-3807)
CVE-2021-3807 is a ReDoS flaw in the widely-used ansi-regex npm package. Here's the impact, affected versions, CVSS/EPSS context, and how to fix it.
nth-check ReDoS vulnerability (CVE-2021-3803)
CVE-2021-3803 turned a niche CSS selector parser into an ecosystem-wide audit headache. Here's the real exploitability picture and how to fix it.
tough-cookie prototype pollution (CVE-2023-26136)
CVE-2023-26136: a prototype pollution flaw in tough-cookie hides deep in transitive Node.js dependencies. Impact, timeline, and remediation steps.
Express.js open redirect vulnerability (CVE-2024-29041)
CVE-2024-29041 lets attackers weaponize Express.js redirects for phishing. See affected versions, CVSS/EPSS data, and how to remediate fast.
Third-party risk management for telehealth platforms
A six-step playbook for telehealth vendor risk management: inventory PHI flows, tier HIPAA business associate risk, run SCA on vendor SDKs, and monitor continuously.
http-cache-semantics ReDoS vulnerability (CVE-2022-25881)
CVE-2022-25881 lets attacker-influenced HTTP responses trigger catastrophic regex backtracking in http-cache-semantics, hanging Node.js services. Here's how to detect and fix it.
Python setuptools package_index ReDoS (CVE-2022-40897)
CVE-2022-40897 is a ReDoS flaw in setuptools' package_index.py that can hang CI pipelines when parsing crafted index pages. Here's how to detect and fix it.
urllib3 CA certificate verification bypass (CVE-2019-11324)
CVE-2019-11324 let urllib3 silently trust unintended CAs during custom certificate validation, undermining pinned-trust and mTLS setups.
urllib3 cookie/auth header leak on cross-origin redirect (CVE-2023-43804)
CVE-2023-43804 lets urllib3 leak Cookie headers on cross-origin redirects. See affected versions, severity context, and how to remediate fast.
PyYAML full_load unsafe deserialization arbitrary code execution (CVE-2020-14343)
CVE-2020-14343 shows PyYAML's full_load/FullLoader "safe" fix was incomplete, enabling arbitrary code execution. Here's the fix and how to detect exposure.