Safeguard
Resources

Supply Chain Security, in plain English.

Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.

All (54)AI Security (384)DevSecOps (197)Best Practices (175)Open Source Security (154)Vulnerability Analysis (117)Incident Analysis (114)Industry Analysis (107)Compliance (100)Application Security (97)Regulatory Compliance (89)Container Security (89)Cloud Security (70)Vulnerability Management (70)Software Supply Chain Security (65)Supply Chain Attacks (54)Threat Intelligence (47)SBOM (41)Product (35)Tools (32)SBOM & Compliance (30)Supply Chain Security (25)Ransomware (24)Infrastructure Security (23)Regulation (20)Industry Guides (19)Compliance & Regulations (18)Emerging Technology (17)Case Studies (17)Agent Security (16)Vulnerability Response (16)Risk Management (16)Tool Reviews (16)Incident Response (15)Security Strategy (13)Supply Chain (12)Frameworks (12)Data Breach (11)Dependency Security (11)Web Security (11)Open Source (9)Kubernetes Security (9)Company (8)Standards (8)Architecture (8)Industry Insights (7)Industry Trends (7)Secure Development (7)AppSec (7)How-To Guide (7)Zero-Day Exploits (7)Network Security (7)Dependency Management (7)Vendor Comparison (6)Research (6)Tutorials (6)Security Operations (6)Organizational Security (6)Developer Security (6)Breach Analysis (5)Code Security (5)Cryptocurrency Security (4)Tool Comparison (4)Mobile Security (4)Product Launch (4)Policy (4)Offensive Security (4)Tool Comparisons (4)Healthcare Security (3)Social Engineering (3)Build Security (3)Industry (3)Vulnerability Research (3)Compliance & Frameworks (3)Regional Security (3)Policy & Compliance (3)SBOM Standards (3)Software Supply Chain (3)Analysis (3)Startup Security (3)Hardware Security (3)Identity Security (2)Security (2)Zero-Day Analysis (2)Industry News (2)Release (2)SBOM and Compliance (2)Security Management (2)Threat Actors (2)API Security (2)Security Architecture (2)Security Culture (2)DeFi Security (2)Incident Postmortem (1)Technical (1)Healthcare (1)Events (1)Product Update (1)Engineering (1)Language Security (1)Emerging Threats (1)Privacy (1)Lifecycle Management (1)Career Development (1)Tools & Platforms (1)Threat Modeling (1)Browser Security (1)Threat Analysis (1)Business Continuity (1)Runtime Security (1)Governance (1)Credential Attacks (1)PKI Security (1)Architecture Security (1)Nation-State Threats (1)Tools & Techniques (1)Privacy & Security (1)

Articles

RSS feed
Supply Chain Attacks

VS Code marketplace incident postmortem: what 2023-2024 actually taught us

Between 2023 and 2024 the VS Code Marketplace saw a string of typosquat, hijack, and impersonation incidents that shaped Microsoft's eventual hardening response. This is a composite postmortem of what happened, what changed, and what is still broken in 2026.

May 13, 20268 min read
Supply Chain Attacks

UEFI Secure Boot after BlackLotus and PKfail: what the trust chain still assumes

Secure Boot was designed to keep untrusted code from running before the operating system, but its trust anchors live in firmware that OEMs control and sometimes leak. BlackLotus and PKfail exposed the gap between the spec and the deployment.

May 12, 20267 min read
Supply Chain Attacks

Firefox add-on supply chain: how Mozilla's posture differs from Chrome's

Mozilla Add-ons applies mandatory signing, a stricter review path for extensions that touch broad permissions, and a separately maintained recommended-extensions program. Here is what that buys defenders in 2026 and where the gaps still are.

May 12, 20268 min read
Supply Chain Attacks

Chrome extension marketplace hijack: the acquired-and-weaponized pattern

Legitimate Chrome extensions keep getting acquired and turned malicious, and content_scripts give the new owner code execution inside every user's browser session. Here is why the pattern keeps working in 2026 and what defenders can do about it.

May 12, 20269 min read
Supply Chain Attacks

BMC firmware and the supply chain you forgot you had

Baseboard management controllers run their own operating system below your hypervisor, ship as binary blobs from vendors like AMI and Insyde, and almost never appear in an SBOM. The MegaRAC incidents made that gap impossible to ignore.

May 12, 20268 min read
Supply Chain Attacks

When the Vulnerability Is the Design: MCP STDIO Command Injection Across 150M Downloads (May 2026)

OX Security documented command injection through the MCP STDIO transport across Python, TypeScript, Java, and Rust SDKs. Anthropic calls the behavior by-design and won't patch upstream. That leaves the fix to thousands of downstream projects.

May 6, 202611 min read
Supply Chain Attacks

tj-actions Supply Chain Attack March 2025: A Postmortem

The tj-actions/changed-files compromise exposed CI secrets across thousands of public repositories. A postmortem on the attack chain and the GitHub Actions trust model.

Apr 28, 20265 min read
Supply Chain Attacks

Go Toolchain Supply Chain Risks: 2025 Research

2025 research on Go toolchain supply chain risks: module proxy abuse, replace directive attacks, cgo linker vectors, and the hardening patterns Go shops should adopt.

Apr 6, 20268 min read
Supply Chain Attacks

Composer/PHP Supply Chain Threats: 2025 Report

A senior engineer's 2025 report on Composer and Packagist supply chain threats: namespace abuse, abandoned maintainers, plugin hooks, and the attacks that actually landed on PHP shops.

Apr 2, 20268 min read
Page 2 of 6

Stay informed

Weekly insights on software supply chain security, delivered to your inbox.

Blog | Safeguard — Software Supply Chain Security Insights