Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

DevSecOps

GitLab CI Security Best Practices for 2026

GitLab CI hands every job a CI_JOB_TOKEN, a runner, and your variables. This guide covers the real attack surface — remote includes, token scope, privileged runners — with hardened .gitlab-ci.yml examples, OIDC, and scanning.

Jul 2, 20266 min read
Guides

SBOM for Beginners: What a Software Bill of Materials Really Is

Modern software is assembled from hundreds of parts you did not write. An SBOM is the ingredient label that lists them all. Here is a warm, beginner-friendly tour with a first SBOM you can generate today.

Jul 2, 20266 min read
DevSecOps

GitHub Actions Supply Chain Security: A 2026 Hardening Guide

GitHub Actions runs with your secrets and write access to your repo. This guide maps the real attack surface — from the tj-actions compromise to script injection — and gives you copy-paste hardening, OIDC, and scanning.

Jul 1, 20266 min read
Security Guides

How to Build a Secure npm Package (2026)

A practical checklist for shipping an npm package that resists supply chain attacks: provenance, granular tokens, minimal published files, no install scripts, and ReDoS-safe code.

Jul 1, 20265 min read
Tutorials

How to Check if an npm Package Is Safe

Before you run npm install, learn a quick, repeatable routine to judge whether an npm package is trustworthy — using metadata, known vulnerabilities, and a scan.

Jul 1, 20265 min read
Tutorials

How to Generate an SBOM: A Step-by-Step Guide

Produce a spec-compliant CycloneDX or SPDX software bill of materials from any repository in minutes, validate it, and attach it to a release — with real commands you can run today.

Jul 1, 20266 min read
AI Security

Patch the Planet: What AI-Generated Fixes Actually Mean for Open-Source Maintainers

OpenAI's Patch the Planet, co-founded with Trail of Bits, wants to move widely-used open-source projects from findings to fixes. The ambition is right — but it shifts the bottleneck to maintainer review, patch provenance, and the trust of machine-authored code.

Jun 24, 20266 min read
AI Security

Claude Code Security: A Practical Guide for Teams Adopting AI Coding Agents

Claude Code can read your repo, run commands, and edit files — which is exactly why it needs the same security engineering as any privileged developer tool. Here's a practical hardening guide.

Jun 2, 20265 min read
Threat Intelligence

ESET's May 2026 APT Report: Oil Shipments, Drone Makers, and a Poisoned npm Library

ESET's APT Activity Report (May 28, 2026) maps China-, North Korea-, Russia-, and Iran-aligned operations from October 2025 to March 2026 — including BlueNoroff's compromise of the axios npm package, a textbook supply-chain espionage event.

May 28, 202610 min read
Supply Chain Attacks

Megalodon: 5,561 GitHub Repos Backdoored via Injected Actions Workflows (May 2026)

In a six-hour window on May 18, 2026, an automated campaign pushed malicious GitHub Actions workflows into 5,561 repositories using credentials harvested by infostealers. We break down the attack chain, the workflow_dispatch dormancy trick, and CI detection.

May 23, 202612 min read
DevSecOps

Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)

In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.

May 21, 202610 min read
Supply Chain Attacks

Microsoft's durabletask PyPI Package Compromised (19 May 2026): A Linux Wiper and Multi-Cloud Credential Theft

On 19 May 2026, three malicious versions of Microsoft's durabletask PyPI package were uploaded in a 35-minute window. The payload steals AWS, Azure, GCP, and Kubernetes credentials in under four seconds and ships a locale-gated rm -rf wiper.

May 20, 202610 min read
supply-chain (Page 3) — Safeguard Blog