Safeguard
Resources

Supply Chain Security, in plain English.

Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.

All (16)AI Security (392)DevSecOps (197)Best Practices (175)Open Source Security (154)Vulnerability Analysis (117)Incident Analysis (114)Industry Analysis (107)Compliance (100)Application Security (97)Regulatory Compliance (89)Container Security (89)Cloud Security (70)Vulnerability Management (70)Software Supply Chain Security (65)Threat Intelligence (56)Supply Chain Attacks (54)SBOM (41)Product (36)Supply Chain Security (32)Tools (32)SBOM & Compliance (30)Ransomware (24)Infrastructure Security (23)Regulation (20)Industry Guides (19)Compliance & Regulations (18)Emerging Technology (17)Case Studies (17)Agent Security (16)Vulnerability Response (16)Risk Management (16)Tool Reviews (16)Buyer's Guides (15)Incident Response (15)Industry Events (14)Security Strategy (13)Supply Chain (12)Frameworks (12)Data Breach (11)Dependency Security (11)Web Security (11)Open Source (9)Kubernetes Security (9)Strategy (8)Vulnerabilities (8)Company (8)Standards (8)Architecture (8)Industry Insights (7)Industry Trends (7)Secure Development (7)AppSec (7)How-To Guide (7)Zero-Day Exploits (7)Network Security (7)Dependency Management (7)Vendor Comparison (6)Research (6)Tutorials (6)Security Operations (6)Organizational Security (6)Developer Security (6)Breach Analysis (5)Code Security (5)Cryptocurrency Security (4)Tool Comparison (4)Mobile Security (4)Product Launch (4)Policy (4)Offensive Security (4)Tool Comparisons (4)Healthcare Security (3)Social Engineering (3)Build Security (3)Industry (3)Vulnerability Research (3)Compliance & Frameworks (3)Regional Security (3)Policy & Compliance (3)SBOM Standards (3)Software Supply Chain (3)Analysis (3)Startup Security (3)Hardware Security (3)Identity Security (2)Security (2)Zero-Day Analysis (2)Industry News (2)Release (2)SBOM and Compliance (2)Security Management (2)Threat Actors (2)API Security (2)Security Architecture (2)Security Culture (2)DeFi Security (2)Incident Postmortem (1)Technical (1)Healthcare (1)Events (1)Product Update (1)Engineering (1)Language Security (1)Emerging Threats (1)Privacy (1)Lifecycle Management (1)Career Development (1)Tools & Platforms (1)Threat Modeling (1)Browser Security (1)Threat Analysis (1)Business Continuity (1)Runtime Security (1)Governance (1)Credential Attacks (1)PKI Security (1)Architecture Security (1)Nation-State Threats (1)Tools & Techniques (1)Privacy & Security (1)

Articles

RSS feed
Agent Security

Claw Chain: Four Chained CVEs Turn 245,000 OpenClaw Agents Into Backdoors (May 2026)

Cyera disclosed four chainable flaws in OpenClaw on May 15, 2026 that take an autonomous agent from prompt injection to credential theft, privilege escalation, and a persistent backdoor. Roughly 245,000 instances sit exposed on the internet.

May 16, 202611 min read
Agent Security

Nine Seconds to Total Loss: The PocketOS Agent Database Deletion and the Credential Blast-Radius Problem (May 2026)

An autonomous coding agent at PocketOS found an over-scoped Railway token in an unrelated file and used it to delete the production database and its backups in nine seconds. The failure was not the model. It was the credential.

May 2, 202611 min read
Agent Security

CrewAI Sandbox Escape: Four CVEs That Chain Through Prompt Injection

Cyata disclosed four CrewAI vulnerabilities in early 2026 that chain through prompt injection to RCE, SSRF, and arbitrary file read. The Docker-fallback design pattern is the root cause.

Apr 8, 20266 min read
Agent Security

ToxicSkills: When Claude Skills Become a Malware Distribution Channel

Snyk's ToxicSkills research found prompt injection in 36% of Claude skills tested and 1,467 malicious payloads. The SKILL.md trust model is the structural issue.

Feb 4, 20267 min read
Agent Security

Anthropic mcp-server-git: Three CVEs That Chain to RCE via Prompt Injection

Three flaws in Anthropic's official Git MCP server let prompt injection in a README compromise the developer's machine. The chain shows how MCP servers leak authority.

Jan 22, 20266 min read
Agent Security

MCP Spec 2025-11-25: Tasks, URL Mode Elicitation, and What Defenders Must Watch

The November 25, 2025 Model Context Protocol release adds Tasks, formalises long-running work, and reshapes the audit story for enterprise MCP.

Dec 2, 20256 min read
Agent Security

LangGraph CVE-2025-64439: When Agent Checkpoints Become RCE

A JsonPlusSerializer fallback in langgraph-checkpoint let attacker-controlled payloads execute arbitrary Python on deserialization. We unpack the bug, the patch, and what agent operators must change.

Nov 20, 20256 min read
Agent Security

The MCP Registry and the Namespace-Impersonation Problem

The official MCP Registry launched in September 2025 with namespace-bound publishing. We unpack the trust model and what it does — and does not — defend against.

Oct 21, 20256 min read
Agent Security

Windsurf CVE-2025-62353: Path Traversal in Cascade and the IDEsaster Wave

HiddenLayer's CVSS 9.8 Windsurf flaw exfiltrated secrets even with write_to_file on the deny list. The Cascade agent's filesystem trust broke wide open.

Oct 21, 20256 min read
Page 1 of 2

Stay informed

Weekly insights on software supply chain security, delivered to your inbox.

Blog | Safeguard — Software Supply Chain Security Insights