Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
AWS measured the September 8 chalk/debug compromise being removed within 2.5 hours and Shai-Hulud 2.0 in November within 12 hours. Here is how the registry-side response workflow operates and how to consume the signal.
Dependency confusion still works in 2026 because teams keep missing the same three controls. Here's how to detect and block it in npm, pip, and Maven.
Dependency confusion is moving beyond name-typosquat. Reflection-based techniques let attackers hijack packages through dynamic imports and runtime resolution.
npm's unpublish and tarball retention rules create a narrow but real window for attackers to reclaim deleted names and swap tarball contents. Here is the 2025 research.
Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.
`--ignore-scripts` is the blunt fix that breaks node-sass and better-sqlite3. Here is the surgical version that keeps builds green and postinstalls contained.
A senior engineer's breakdown of how maintainer account takeovers evolved in 2025, from phishing kits targeting PyPI to session token theft on GitHub and npm.
A practical detection workflow for malicious npm packages: install-time signals, registry heuristics, reachability checks, and CI gates that actually block attacks.
A senior engineer's view of six years of npm protestware, from colors.js to peacenotwar, and the supply chain lessons that still apply to modern JavaScript shops.
Weekly insights on software supply chain security, delivered to your inbox.