Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1052 articles

Open Source Security

RubyGems Malicious Gem Arbitrary Code Execution via Missi...

CVE-2019-8324 let a malicious RubyGems package run arbitrary code at install time via a crafted multi-line gem name evaluated during the preinstall check.

Dec 4, 20257 min read
Vulnerability Analysis

Secrets leakage in Docker images explained

How credentials get baked into Docker image layers, real incidents that exposed them, and how to detect and stop secrets leakage in container images.

Dec 3, 20257 min read
Open Source Security

RubyGems Escape Sequence Injection via Unpack API (CVE-20...

CVE-2019-8325 lets a malicious RubyGems package inject terminal escape sequences via the unpack API. Here's the impact, affected versions, and how to remediate it.

Dec 3, 20258 min read
Open Source Security

pip's Version-Based Resolution and the Origin of Dependen...

CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.

Dec 3, 20257 min read
Open Source Security

node-tar Arbitrary File Write via Symlink Extraction (CVE...

CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.

Dec 2, 20257 min read
Vulnerability Analysis

Python Pickle deserialization risk explained

Pickle deserialization lets attacker-controlled data execute arbitrary code on load. Here's how the exploit works, real CVEs, and how to fix it.

Dec 2, 20257 min read
Open Source Security

node-tar Windows-Specific Path Traversal Bypass (CVE-2021...

CVE-2021-37712 let malicious tar archives bypass node-tar's symlink protections on Windows via junctions, enabling path traversal during npm installs. Here's what to patch.

Dec 2, 20258 min read
Vulnerability Analysis

Argument injection vulnerabilities explained

How argument injection (CWE-88) vulnerabilities work, real CVEs like PHPMailer and Git ssh URLs, and how teams detect and prevent CWE-88 flaws.

Dec 1, 20257 min read
Open Source Security

The coa and rc npm Maintainer Account Hijack Incident

How the coa and rc npm hijack let attackers seize maintainer accounts on two packages with 20M+ weekly downloads to push Windows password-stealing malware.

Dec 1, 20256 min read
Open Source Security

npm prototype pollution trends report 2025

Safeguard's 2025 analysis of npm prototype pollution advisories reveals rising volume, deeper transitive exposure, and why reachability—not CVSS alone—now separates real risk from noise.

Dec 1, 20257 min read
Open Source Security

Malicious npm packages targeting developers in 2025

A year-end look at 2025's npm supply chain attacks—chalk/debug phishing, the Shai-Hulud worm, and industrialized malware campaigns—and how to defend against them.

Nov 30, 20257 min read
Open Source Security

Go's 'go get' Directory Traversal via GOPATH Package Path...

CVE-2018-16874: a directory traversal flaw in Go's go get let malicious GOPATH import paths with curly braces write files outside the workspace.

Nov 30, 20257 min read
supply-chain-security (Page 61) — Safeguard Blog