Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Best Practices

Auditing and pinning transitive Java dependencies with Maven and Gradle

Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.

Jul 10, 20266 min read
Kubernetes Security

Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries

Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.

Jul 10, 20267 min read
Open Source Security

Building an Open-Source License Compliance Program That Flags Copyleft Risk in CI

Software Freedom Conservancy's suit against Vizio is headed to trial in August 2026 — proof that copyleft violations are litigated, not theoretical.

Jul 10, 20266 min read
Supply Chain Security

Anatomy of a Malicious Go Package Typosquat

A Go typosquat backdoored since 2021 stayed live for over three years because Go's module proxy caches code immutably — even after the attacker cleaned the repo.

Jul 10, 20266 min read
AI Security

The OWASP Top 10 for LLM Applications, Explained With Real Examples

OWASP's LLM security list has grown from a 2023 side project into a 600+ expert initiative. Here's what each of the ten risks actually looks like in production.

Jul 10, 20268 min read
Supply Chain Attacks

Anatomy of a Software Supply-Chain Worm: A Post-Mortem Framework

500+ npm packages backdoored in days, then 796 more two months later. A repeatable post-mortem framework for self-propagating open-source worms.

Jul 9, 20266 min read
DevSecOps

Credential rotation playbook after npm worm exposure

A step-by-step rotation runbook for security teams exposed to the Shai-Hulud npm worm — what to revoke first, how to verify a credential is dead, and how to prevent a repeat.

Jul 9, 20266 min read
Supply Chain Security

Detecting malicious postinstall scripts in npm packages

A 2025 phishing attack compromised 18 npm packages with 2.6 billion weekly downloads. Here's how postinstall scripts became npm's top attack vector.

Jul 9, 20266 min read
AI Security

A risk framework for enterprise AI coding and agent tool rollouts

Samsung banned ChatGPT company-wide after three leaks in 20 days. A working framework for data exposure, model supply chain, and access control risk.

Jul 9, 20267 min read
AI Security

Concrete guardrails for AI coding assistants

40% of Copilot-generated code contained CWE Top 25 flaws in a 2022 study. Here are the prompt, scanning, and review gates that actually stop AI-written risk.

Jul 9, 20266 min read
DevSecOps

Hardening CI/CD Against a Compromised Upstream Registry

The Sept 2025 npm attack hit packages with 2B weekly downloads in 2 hours. Pinning, lockfile checks, and mirrors would have stopped it cold.

Jul 9, 20265 min read
Supply Chain Attacks

The Cursor IDE extension that stole $500K: a supply chain post-mortem

A fake 'Solidity Language' extension hit 50,000+ downloads on Open VSX before stealing $500K in crypto. Here's how IDE marketplaces became a trust gap.

Jul 9, 20265 min read
supply-chain-security (Page 6) — Safeguard Blog