Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Open Source Security

Composer Arbitrary Code Execution via Platform Config Han...

CVE-2021-41116 let malicious composer.json platform config values inject PHP code into Composer autoload files, causing code execution on install.

Nov 30, 20257 min read
Open Source Security

npm postinstall script malware trends

npm postinstall script malware surged 61% in H1 2026. Here's how attackers weaponize lifecycle hooks — and how to detect and stop them.

Nov 30, 20257 min read
Open Source Security

Packagist's GitHub Webhook Flaw That Could Have Poisoned ...

A 2022 Packagist webhook vulnerability let a crafted GitHub branch name trigger command injection on Packagist's servers, threatening the entire PHP/Composer supply chain.

Nov 30, 20256 min read
Open Source Security

Compromised maintainer accounts on npm

Recent npm maintainer account takeovers show how a single stolen credential can compromise billions of downloads. Here's the anatomy of the threat—and the defense.

Nov 29, 20257 min read
Open Source Security

CocoaPods Trunk Server Remote Code Execution (CVE-2024-38...

CVE-2024-38366 exposed a critical remote code execution flaw in the CocoaPods trunk server, threatening the iOS dependency supply chain for years undetected.

Nov 29, 20257 min read
Open Source Security

CocoaPods Trunk Server Email Verification Bypass Enabling...

CVE-2024-38367 let attackers bypass email verification on the CocoaPods trunk server to take over pod owner accounts, threatening the iOS supply chain. Here's the impact and fix.

Nov 29, 20258 min read
Open Source Security

Most vulnerable npm packages of the year

Safeguard's 2026 mid-year analysis of the npm registry breaks down the packages driving the most risk and why the same names keep coming back.

Nov 29, 20257 min read
Open Source Security

CocoaPods Orphaned Pod Takeover Vulnerability (CVE-2024-3...

CVE-2024-38368 let attackers claim orphaned CocoaPods and push malicious code into any iOS or macOS app still depending on them. Here is what to check.

Nov 29, 20258 min read
Open Source Security

npm package hijacking via expired maintainer domains

Attackers are hijacking npm packages by buying up maintainers' expired email domains to reset account passwords — here's how it works and how to detect it.

Nov 29, 20257 min read
Open Source Security

Node.js runtime CVE roundup

A roundup of Node.js runtime CVEs since 2024 — command injection, HTTP smuggling, permission bypasses, and why runtime flaws evade typical dependency scanners.

Nov 28, 20257 min read
Open Source Security

PyPI typosquatting and malicious package report

A 2026 look at PyPI typosquatting trends: attack patterns, CI/CD targeting, info-stealer payloads, and how to defend the Python supply chain.

Nov 28, 20257 min read
Vulnerability Analysis

Git Clone RCE via Symlink Race on Case-Insensitive Filesy...

A patched Git flaw let attackers achieve remote code execution during clone via a symlink race on case-insensitive filesystems. Here's what teams need to know.

Nov 27, 20258 min read
supply-chain-security (Page 62) — Safeguard Blog