Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The first quarter of 2022 saw a surge in npm malware — from protestware to dependency confusion to credential-stealing packages. Here's a roundup of the most significant incidents and emerging trends.
The node-ipc package was deliberately sabotaged by its maintainer to protest the Russia-Ukraine conflict, wiping files on systems with Russian or Belarusian IP addresses. A watershed moment for supply chain trust.
2021 was the year software supply chain attacks went mainstream. From SolarWinds aftermath to Log4Shell, here's every major incident and what they tell us about the threat landscape.
The Pegasus Project revealed NSO Group's spyware targeting journalists, activists, and politicians through zero-click exploits. This is what a weaponized supply chain looks like.
Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.
Alex Birsan's research showed how internal package names can be exploited to inject malicious code into corporate build systems. Here's how the attack works and how to defend against it.
The Accellion FTA breach hit over 100 organizations through a 20-year-old file transfer appliance. Here's what went wrong and why legacy software is a ticking time bomb.
Attackers modified Codecov's bash uploader script to steal environment variables from CI pipelines. Thousands of repositories were exposed for two months.
The SolarWinds attack compromised 18,000 organizations through a single tampered update. Six months later, here's what the industry should have learned.
Weekly insights on software supply chain security, delivered to your inbox.