Open Source Security
How to Monitor Go Module Substitution Attacks
Defend against Go module substitution attacks with GOPROXY, GOSUMDB, vendor verification, and checksum database monitoring — complete with working examples.
Mar 4, 20255 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Defend against Go module substitution attacks with GOPROXY, GOSUMDB, vendor verification, and checksum database monitoring — complete with working examples.
Cython-built Python extensions ship as platform-specific binaries with a build toolchain behind them. That introduces supply chain surface most teams have not mapped.
PyPI Organization Accounts add real structure to a registry that was individual-first for two decades. A deep look at the security model, what it enables, and what it still doesn't.
A look at how organizations can claim reserved namespace prefixes on RubyGems.org, what the policy currently supports, and where it falls short for real enterprise use cases.
Rust is moving into embedded production fast. The supply chain shape for firmware is different from server-side Rust — smaller trees, longer lifetimes, tighter regulations.
PyPI download numbers are noisy, gameable, and widely misused. A closer look at what they actually measure, how to read them for security purposes, and where they break.
When an npm package in your dependency graph is compromised at midnight, you need a playbook, not a brainstorm. Here is the one I wrote after three real incidents.
NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.
How to actually audit unsafe blocks across a large Rust dependency graph without drowning in false positives or miss real issues.
Weekly insights on software supply chain security, delivered to your inbox.