Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Three PyPI packages impersonating Alibaba's AI Labs SDK exfiltrated .gitconfig data from developer machines in a regionally targeted 2025 espionage campaign.
Vulnerability scanning is one dimension of open source risk. A true risk intelligence platform must also evaluate maintainer health, project sustainability, licensing, and malicious package threats.
Mozilla and Google expanded cargo-vet's shared audit pool to 14,000 crates in Q1 2025. Here's how to adopt it without drowning in imports.
PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it means for consumers and publishers over the next 12 months.
Defend against Go module substitution attacks with GOPROXY, GOSUMDB, vendor verification, and checksum database monitoring — complete with working examples.
Cython-built Python extensions ship as platform-specific binaries with a build toolchain behind them. That introduces supply chain surface most teams have not mapped.
PyPI Organization Accounts add real structure to a registry that was individual-first for two decades. A deep look at the security model, what it enables, and what it still doesn't.
A look at how organizations can claim reserved namespace prefixes on RubyGems.org, what the policy currently supports, and where it falls short for real enterprise use cases.
Rust is moving into embedded production fast. The supply chain shape for firmware is different from server-side Rust — smaller trees, longer lifetimes, tighter regulations.
Weekly insights on software supply chain security, delivered to your inbox.