Resources

Supply Chain Security, in plain English.

Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.

Filter

All (12)AI Security (392)DevSecOps (197)Best Practices (175)Open Source Security (154)Vulnerability Analysis (117)Incident Analysis (114)Industry Analysis (107)Compliance (100)Application Security (97)Regulatory Compliance (89)Container Security (89)Cloud Security (70)Vulnerability Management (70)Software Supply Chain Security (65)Threat Intelligence (56)Supply Chain Attacks (54)SBOM (41)Product (36)Supply Chain Security (32)Tools (32)SBOM & Compliance (30)Ransomware (24)Infrastructure Security (23)Regulation (20)Industry Guides (19)Compliance & Regulations (18)Emerging Technology (17)Case Studies (17)Agent Security (16)Vulnerability Response (16)Risk Management (16)Tool Reviews (16)Buyer's Guides (15)Incident Response (15)Industry Events (14)Security Strategy (13)Supply Chain (12)Frameworks (12)Data Breach (11)Dependency Security (11)Web Security (11)Open Source (9)Kubernetes Security (9)Strategy (8)Vulnerabilities (8)Company (8)Standards (8)Architecture (8)Industry Insights (7)Industry Trends (7)Secure Development (7)AppSec (7)How-To Guide (7)Zero-Day Exploits (7)Network Security (7)Dependency Management (7)Vendor Comparison (6)Research (6)Tutorials (6)Security Operations (6)Organizational Security (6)Developer Security (6)Breach Analysis (5)Code Security (5)Cryptocurrency Security (4)Tool Comparison (4)Mobile Security (4)Product Launch (4)Policy (4)Offensive Security (4)Tool Comparisons (4)Healthcare Security (3)Social Engineering (3)Build Security (3)Industry (3)Vulnerability Research (3)Compliance & Frameworks (3)Regional Security (3)Policy & Compliance (3)SBOM Standards (3)Software Supply Chain (3)Analysis (3)Startup Security (3)Hardware Security (3)Identity Security (2)Security (2)Zero-Day Analysis (2)Industry News (2)Release (2)SBOM and Compliance (2)Security Management (2)Threat Actors (2)API Security (2)Security Architecture (2)Security Culture (2)DeFi Security (2)Incident Postmortem (1)Technical (1)Healthcare (1)Events (1)Product Update (1)Engineering (1)Language Security (1)Emerging Threats (1)Privacy (1)Lifecycle Management (1)Career Development (1)Tools & Platforms (1)Threat Modeling (1)Browser Security (1)Threat Analysis (1)Business Continuity (1)Runtime Security (1)Governance (1)Credential Attacks (1)PKI Security (1)Architecture Security (1)Nation-State Threats (1)Tools & Techniques (1)Privacy & Security (1)

Articles

RSS feed

Supply Chain

RubyGems and Bundler's Cooldown Discussion: Soak Windows as a First-Class Defender Policy

After the 2025 supply-chain waves, the ruby/rubygems community opened Discussion #9113 to evaluate a built-in cooldown feature for bundle update. Here is the defender argument and how to implement it today.

May 15, 20267 min read

Supply Chain

A Defender's Template for Package Registry Incident Communications, Built from the 2025-2026 Response Postmortems

The npm Shai-Hulud, PyPI credential-leak, and tj-actions response postmortems published through 2025-2026 reveal a common communication shape. Here is the template, the timing, and the policy that turns the template into a fast response.

May 14, 20267 min read

Supply Chain

NuGet's September 2025 Trusted Publishing Launch and the 2026 Signing Roadmap

NuGet became the fifth major registry to ship Trusted Publishing in September 2025, with .NET package signing and ID prefix reservation forming a complete trust-signal stack for the ecosystem.

May 12, 20266 min read

Supply Chain

Private Registry Hardening in 2026: How Nexus Firewall and JFrog Curation Closed the Mirror-Pass-Through Gap

Through 2025-2026, Sonatype Nexus Firewall, JFrog Curation, and Harness Artifact Registry shipped policy features specifically aimed at the Shai-Hulud pass-through problem, where private mirrors silently replicated malicious upstream packages.

Apr 22, 20267 min read

Supply Chain

How npm's Takedown Response Time Compressed from Days to Hours During the 2025 Shai-Hulud Waves

AWS measured the September 8 chalk/debug compromise being removed within 2.5 hours and Shai-Hulud 2.0 in November within 12 hours. Here is how the registry-side response workflow operates and how to consume the signal.

Apr 2, 20267 min read

Supply Chain

GitHub Actions Immutable Actions GA: Why OCI-Backed Action Distribution Closes the tj-actions Class of Attack

GitHub's 2026 roadmap puts Immutable Actions GA at the center of Actions supply-chain hardening, publishing actions as OCI artifacts with hash-mismatch fail-fast and full composite-action visibility.

Mar 25, 20266 min read

Supply Chain

Trusted Publishing Across Every Major Registry: The 2026 State of OIDC-Backed Publishing

By end of 2025, Trusted Publishing landed on PyPI, RubyGems, npm, crates.io, and NuGet. PyPI alone crossed one million Trusted-Publisher uploads. Here is the defender view of the cross-ecosystem rollout.

Mar 3, 20266 min read

Supply Chain

Inside PyPI Project Quarantine: How the Reversible Takedown Workflow Has Performed Since Launch

PyPI's Project Quarantine status, introduced in August 2024 and used roughly 140 times in its first year, replaces irreversible deletions with a reversible hidden state. Here is how the workflow operates and how to consume the signal.

Feb 4, 20266 min read

Supply Chain

Shai-Hulud: The Self-Replicating npm Worm That Hit 500+ Packages

On September 15, 2025, a self-replicating npm worm dubbed Shai-Hulud backdoored more than 500 packages, including @ctrl/tinycolor and CrowdStrike libraries, by pivoting through stolen publish tokens.

Sep 22, 20256 min read

Page 1 of 2

Stay informed

Weekly insights on software supply chain security, delivered to your inbox.

Blog | Safeguard — Software Supply Chain Security Insights