supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
Auditing and pinning transitive Java dependencies with Maven and Gradle
Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.
Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries
Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.
Building an Open-Source License Compliance Program That Flags Copyleft Risk in CI
Software Freedom Conservancy's suit against Vizio is headed to trial in August 2026 — proof that copyleft violations are litigated, not theoretical.
Anatomy of a Malicious Go Package Typosquat
A Go typosquat backdoored since 2021 stayed live for over three years because Go's module proxy caches code immutably — even after the attacker cleaned the repo.
The OWASP Top 10 for LLM Applications, Explained With Real Examples
OWASP's LLM security list has grown from a 2023 side project into a 600+ expert initiative. Here's what each of the ten risks actually looks like in production.
Anatomy of a Software Supply-Chain Worm: A Post-Mortem Framework
500+ npm packages backdoored in days, then 796 more two months later. A repeatable post-mortem framework for self-propagating open-source worms.
Credential rotation playbook after npm worm exposure
A step-by-step rotation runbook for security teams exposed to the Shai-Hulud npm worm — what to revoke first, how to verify a credential is dead, and how to prevent a repeat.
Detecting malicious postinstall scripts in npm packages
A 2025 phishing attack compromised 18 npm packages with 2.6 billion weekly downloads. Here's how postinstall scripts became npm's top attack vector.
A risk framework for enterprise AI coding and agent tool rollouts
Samsung banned ChatGPT company-wide after three leaks in 20 days. A working framework for data exposure, model supply chain, and access control risk.
Concrete guardrails for AI coding assistants
40% of Copilot-generated code contained CWE Top 25 flaws in a 2022 study. Here are the prompt, scanning, and review gates that actually stop AI-written risk.
Hardening CI/CD Against a Compromised Upstream Registry
The Sept 2025 npm attack hit packages with 2B weekly downloads in 2 hours. Pinning, lockfile checks, and mirrors would have stopped it cold.
The Cursor IDE extension that stole $500K: a supply chain post-mortem
A fake 'Solidity Language' extension hit 50,000+ downloads on Open VSX before stealing $500K in crypto. Here's how IDE marketplaces became a trust gap.