Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Incident Postmortem

GitHub VS Code Extension Breach (20 May 2026): What Happened, How It Worked, and What to Do Monday Morning

GitHub disclosed on 20 May 2026 that a poisoned VS Code Marketplace extension was used to exfiltrate roughly 3,800 private repositories from enterprise engineering orgs, landing in the middle of a broader May 2026 wave of developer-surface supply chain attacks.

May 20, 202616 min read
Regulatory Compliance

NIS2's First Enforcement Wave (May 2026): What the Early Proceedings Tell Compliance Teams

By May 2026 the first NIS2 enforcement actions are surfacing across early-transposing member states, starting with registration and notification failures. We analyze what authorities are pursuing first and how to build evidence that survives the escalation.

May 20, 202611 min read
Supply Chain

Axios npm Vulnerabilities: The Full CVE History and Patch Guide

Every notable axios npm vulnerability, from the 2019 DoS to the 2025 SSRF, with the fixed versions and a patch path that also catches the transitive ones.

May 19, 20266 min read
Regulatory Compliance

UK Cyber Security and Resilience Bill (May 2026): Report Stage, Supply Chain, and the 24-Hour Clock

By May 2026 the UK's Cyber Security and Resilience Bill has cleared Commons committee and is heading to Report stage. We analyze its expanded scope, the 24-hour incident reporting requirement, and the supply chain obligations software vendors should prepare for.

May 18, 202611 min read
Supply Chain Attacks

node-ipc Compromised Again (14 May 2026): An 80 KB Credential Stealer in a 10M-Download Library

On 14 May 2026, three malicious node-ipc versions (9.1.6, 9.2.3, 12.0.1) shipped an 80 KB credential-stealing IIFE appended after module.exports in the CJS bundle — no install scripts, harvesting 90+ secret categories from a library with 10M+ weekly downloads.

May 15, 20269 min read
Industry Insights

Higher education software supply chain risk in 2026

SIS platforms, LMS deployments, research data pipelines, and the federated identity surface that makes higher education one of the most consequential supply chain environments to defend.

May 15, 20267 min read
Industry Insights

Linux Foundation versus Apache Software Foundation: how governance shapes supply-chain risk

Both foundations host critical software, but they organize it very differently. The Linux Foundation's project-by-project incubation model and the ASF's uniform graduation process produce different risk profiles for the consumers downstream.

May 15, 20268 min read
Supply Chain Attacks

RubyGems Suspends New Signups After a 500-Package Malicious Flood (May 2026)

On 12-13 May 2026, RubyGems was hit by a coordinated spam-publishing flood that pushed 500+ malicious packages from newly-registered bot accounts. The registry paused new signups and re-enabled them on 16 May after tightening rate limiting with Fastly.

May 14, 20269 min read
Cloud Security

Cloudflare Workers, KV, and Durable Objects: the supply chain view in 2026

Worker bundle composition, wrangler publish trust, and the deploy-from-CI credential blast radius are the supply chain shape of Cloudflare in 2026.

May 14, 20267 min read
Supply Chain Attacks

RabbitMQ management plugin CVEs: brokers deserve database-grade SBOM scrutiny

Authentication and plugin-loading risks in RabbitMQ's management plugin show why message brokers, which hold credentials and pass payloads, should be inventoried with the same rigor as databases.

May 14, 20266 min read
Open Source

npm package signature verification: the 2026 rollout state

Every package on npm is signed by the registry, but the actual posture of install-time signature verification across real-world tooling is patchier than the headline suggests. This is where npm audit signatures and downstream verifiers stand in 2026.

May 14, 202610 min read
Compliance

NY DFS 23 NYCRR 500 amendments and third-party software risk in 2026

The November 2023 amendments to NY DFS 23 NYCRR Part 500 tightened third-party service provider requirements and added new obligations around software supply chain risk. Covered entities are now in steady-state implementation.

May 14, 20268 min read
supply-chain (Page 4) — Safeguard Blog