Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Attackers published malicious packages impersonating ESLint on npm, exploiting developer trust in the popular linting tool to steal credentials.
CircleCI's January 2023 breach exposed secrets for thousands of organizations. Here's how the attack unfolded and what it means for CI/CD security.
From LastPass to Log4j's aftermath to new regulations, 2022 was the year supply chain security went from niche concern to board-level priority.
LastPass revealed that the August breach enabled a second attack that exfiltrated encrypted customer vaults. The full scope of the damage was devastating.
By mid-2022, supply chain attacks had surged 742% over the previous three years. Here's the data, the trends, and what defenders need to know.
LastPass disclosed that an attacker accessed their development environment for four days. The full impact wouldn't be known for months.
Attackers can impersonate any committer on GitHub, inject malicious code through PRs, and exploit lax review processes. Here's the risk.
The ctx package on PyPI was hijacked to steal environment variables from developer machines. The attack exploited an expired domain to take over a maintainer account — a novel and repeatable technique.
Maven Central is the backbone of the Java ecosystem, serving billions of artifact downloads annually. Its unique trust model and dependency resolution create supply chain risks that Java teams must understand.
Weekly insights on software supply chain security, delivered to your inbox.