Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Supply Chain Attacks

Bun-compiled JS binaries as PyPI credential stealers

Two lightning releases fetched the Bun runtime at import time to run an 11MB obfuscated JS stealer — PyPI's Python trust model didn't expect a JS binary.

Jul 8, 20266 min read
AI Security

Code injection risks in GenAI-generated code

Nearly 40% of GitHub Copilot's suggested programs contain exploitable vulnerabilities, and 19.7% of AI-generated code samples reference packages that don't exist.

Jul 8, 20267 min read
Best Practices

The code-to-cloud AppSec checklist: unifying code, dependency, container, and config security

Log4Shell and the XZ Utils backdoor both proved the same thing: a flaw in one layer is only as contained as your weakest disconnected tool.

Jul 8, 20267 min read
Container Security

Sigstore vs. Notary v2 vs. Docker Content Trust: signing containers in 2026

Docker retires Content Trust on December 8, 2026, while fewer than 0.05% of Hub pulls ever used it — here's how Sigstore and Notary v2 actually replaced it.

Jul 8, 20267 min read
Container Security

Securing Containerized AI Workloads: Base Images, GPU Drivers, and Runtime Policy

A CVSS 9.0 flaw in NVIDIA's Container Toolkit let any GPU container escape to the host — and its first patch didn't fully close it. Here's how to defend AI infrastructure.

Jul 8, 20265 min read
Vulnerability Management

Inside CVE-2023-46233: How crypto-js Shipped a 1.3-Million-Times-Weaker Key Derivation

crypto-js versions before 4.2.0 defaulted PBKDF2 to SHA1 with a single iteration — NVD calls it 1,300,000 times weaker than modern standards. Here's the fix.

Jul 8, 20266 min read
Open Source Security

What the curl CVE disclosures teach about patching embedded C libraries

curl.se lists 206 published CVEs across two decades — two 2023 disclosures show why transitive C-library patching needs its own discipline.

Jul 8, 20267 min read
Best Practices

Defense-in-depth for a modern cloud-native application stack

Log4Shell and the XZ backdoor were caught two different ways — one by patching, one by a developer noticing 500ms of extra SSH latency. Neither alone is a strategy.

Jul 8, 20266 min read
Supply Chain Security

Dependency confusion and npm supply-chain hardening

One researcher earned over $130,000 exploiting name collisions between public and private registries at 35 companies — here's how lockfiles and scoping stop it.

Jul 8, 20267 min read
Open Source Security

Dependabot vs. Renovate: Tuning Dependency Updates Without Drowning in PRs

Dependabot GA'd grouped security updates in March 2024 and cross-directory consolidation in February 2026 — both direct responses to teams muting bots entirely.

Jul 8, 20267 min read
AI Security

Detecting AI Hallucinations in Generated Code

A USENIX Security 2025 study found 19.7% of packages recommended by 16 LLMs across 576,000 code samples don't exist — and attackers are registering them first.

Jul 8, 20266 min read
Supply Chain Security

What developer-first supply chain security actually requires

The xz-utils backdoor was caught by a 500ms SSH login delay, not a scanner. Real developer-first security means catching it before the commit ships.

Jul 8, 20267 min read
supply-chain-security (Page 9) — Safeguard Blog