supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
749 articles
Slopsquatting: When AI Hallucinates a Package Attackers Register
AI coding assistants confidently recommend packages that do not exist. Attackers noticed. Slopsquatting turns a model's hallucination into a supply-chain foothold — and the fix is not to make models stop hallucinating.
OWASP A08: Software and Data Integrity Failures — A Deep-Dive Guide
Software and Data Integrity Failures rank #8 in the OWASP Top 10 (2021). A deep dive into insecure deserialization, unsigned updates, SolarWinds, and real CVEs.
Securing CI/CD Secrets: OIDC, Scanning, and Short-Lived Credentials
CI/CD secrets are the crown jewels attackers go after — the CircleCI breach forced every customer to rotate everything. This guide covers secret sprawl, scanning, OIDC federation, and killing long-lived credentials for good.
Understanding Open Source Security Risk
Open source powers nearly every modern application, but the code you inherit brings risks you did not write. This guide explains where open source risk comes from, how it reaches your product, and how to manage it without abandoning the ecosystem.
Subresource Integrity (SRI) Explained (2026)
Subresource Integrity pins a cryptographic hash to every script you load from a CDN, so a compromised CDN cannot silently swap in malicious code. Here is how it works and where it stops.
CircleCI Security Best Practices After the 2023 Breach
The January 2023 CircleCI incident forced every customer to rotate every secret. Here is what it taught us — plus hardened config.yml examples for orb pinning, restricted contexts, OIDC, and adding scanning.
OWASP A06: Vulnerable and Outdated Components — A Deep-Dive Guide
Vulnerable and Outdated Components rank #6 in the OWASP Top 10 (2021). A deep dive into transitive risk, real CVEs like Log4Shell, and how to fix it in 2026.
The XZ Utils Backdoor (CVE-2024-3094) Explained: A Near-Miss Supply Chain Catastrophe
CVE-2024-3094 was a deliberately planted backdoor in xz-utils 5.6.0/5.6.1 targeting sshd. It was caught by a 500ms delay one engineer refused to ignore. Here is how the attack worked.
Jenkins Pipeline Security: Hardening the Controller and Your Builds
Jenkins is a favorite target because the controller holds every credential and runs arbitrary Groovy. This guide covers CVE-2024-23897, the plugin attack surface, credential handling, ephemeral agents, and adding scanning.
WebP (CVE-2023-4863) Explained: The libwebp Heap Overflow That Patched the Web
CVE-2023-4863 was an actively exploited heap buffer overflow in libwebp's Huffman decoder. Because the codec is vendored everywhere, one bug forced emergency patches across browsers and apps.
Bun Security Best Practices (2026)
Bun is fast and Node-compatible, but unlike Deno it has no permission sandbox. Here is how to run it safely: trusted-dependency script blocking, frozen lockfiles, and real dependency auditing.
What's the Cheapest Way to Start Supply Chain Security? (FAQ)
The most affordable way to run real software supply chain security in 2026 — why Safeguard's $1 Starter plan is the cheapest genuine entry point, and what 'cheap' should and shouldn't mean.