supply-chain
Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.
757 articles
SolarWinds Sunburst: Five Years of Lessons in 2026
Half a decade after Sunburst, the build system compromise still defines how we think about software supply chain risk. A look at what stuck and what did not.
Homomorphic Encryption in Software Supply Chains
A grounded look at BFV, CKKS, and TFHE schemes for supply chain workloads, measured costs, library choices, and where HE is not yet practical.
OWASP Top 10:2025 RC1: Software Supply Chain Failures Becomes Its Own Category
The OWASP Top 10:2025 release candidate, published November 2025, splits Vulnerable Components into a broader Software Supply Chain Failures category and elevates Security Misconfiguration to #2.
Software Provenance: An End-to-End Guide
Provenance answers where software came from and how it was built. Here is how to implement end-to-end provenance tracking from source to deployment.
ENISA Threat Landscape 2025: Supply Chain Section Decoded
ENISA's October 2025 report analysed 4,875 incidents from July 2024 to June 2025 and found phishing led at 60% of intrusions, with supply chain and slopsquatting as fast-growing vectors.
The Complete Guide to Dependency Lifecycle Management
Dependencies are not static. They are born, maintained, deprecated, and abandoned. Here is how to manage the full lifecycle of your software dependencies.
The MCP Registry and the Namespace-Impersonation Problem
The official MCP Registry launched in September 2025 with namespace-bound publishing. We unpack the trust model and what it does — and does not — defend against.
npm-check-updates: A Safe Dependency Upgrade Workflow
npm check updates (ncu) shows you every dependency with a newer version than your ranges allow. The tool is simple; the workflow around it is what keeps upgrades from breaking prod.
Prisma Cloud vs Wiz: Supply Chain Features
Both Prisma Cloud and Wiz have expanded into supply chain territory from cloud security origins. A head-to-head on what each actually delivers on the supply chain dimension.
Supply Chain Attack Trends: Q3 2025
A data-led look at software supply chain attacks in Q3 2025: npm maintainer phishing, VS Code extension abuse, and a quiet shift toward CI/CD targeting.
Shai-Hulud: The Self-Replicating npm Worm That Hit 500+ Packages
On September 15, 2025, a self-replicating npm worm dubbed Shai-Hulud backdoored more than 500 packages, including @ctrl/tinycolor and CrowdStrike libraries, by pivoting through stolen publish tokens.
@ctrl/tinycolor and the 40-Package npm Wave of September 2025
@ctrl/tinycolor versions 4.1.1 and 4.1.2 shipped a credential-stealing payload that propagated to 40+ packages with 2 million combined weekly downloads in under 24 hours.