supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1052 articles
RubyGems Malicious Gem Arbitrary Code Execution via Missi...
CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.
Secrets leakage in Docker images explained
How credentials get baked into Docker image layers, real incidents that exposed them, and how to detect and stop secrets leakage in container images.
RubyGems Escape Sequence Injection via Unpack API (CVE-20...
CVE-2019-8325 lets a malicious RubyGems package inject terminal escape sequences via the unpack API. Here's the impact, affected versions, and how to remediate it.
pip's Version-Based Resolution and the Origin of Dependen...
CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.
node-tar Arbitrary File Write via Symlink Extraction (CVE...
CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.
Python Pickle deserialization risk explained
Pickle deserialization lets attacker-controlled data execute arbitrary code on load. Here's how the exploit works, real CVEs, and how to fix it.
node-tar Windows-Specific Path Traversal Bypass (CVE-2021...
CVE-2021-37712 let malicious tar archives bypass node-tar's symlink protections on Windows via junctions, enabling path traversal during npm installs. Here's what to patch.
Argument injection vulnerabilities explained
How argument injection (CWE-88) vulnerabilities work, real CVEs like PHPMailer and Git ssh URLs, and how teams detect and prevent CWE-88 flaws.
The coa and rc npm Maintainer Account Hijack Incident
How the coa and rc npm hijack let attackers seize maintainer accounts on two packages with 20M+ weekly downloads to push Windows password-stealing malware.
npm prototype pollution trends report 2025
Safeguard's 2025 analysis of npm prototype pollution advisories reveals rising volume, deeper transitive exposure, and why reachability—not CVSS alone—now separates real risk from noise.
Malicious npm packages targeting developers in 2025
A year-end look at 2025's npm supply chain attacks—chalk/debug phishing, the Shai-Hulud worm, and industrialized malware campaigns—and how to defend against them.
Go's 'go get' Directory Traversal via GOPATH Package Path...
CVE-2018-16874: a directory traversal flaw in Go's go get let malicious GOPATH import paths with curly braces write files outside the workspace.