Industry Analysis
Dependency Confusion Five Years In: Evolution
Dependency confusion turned five in 2026. We look at how the attack has evolved, why it still works, and what defenders have actually learned.
Mar 31, 20268 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Dependency confusion turned five in 2026. We look at how the attack has evolved, why it still works, and what defenders have actually learned.
AI coding assistants are now standard developer tooling. The incident data from 2025 and early 2026 shows a recurring pattern of source code, credential, and customer data leaking through them.
A senior engineer's guide to where CMMC 2.0 deadlines actually sit in 2026, what assessors are looking for, and how supply chain controls fit into the certification path.
Open source maintainers are now a primary target for state and criminal actors. We trace the 2026 social engineering, infrastructure, and credential patterns.
An attacker who can swap the model behind an API call can read every prompt and shape every response. The emerging trend in 2026 is model substitution as an attack class with its own techniques and disclosures.
A senior engineer's view of how NYDFS Part 500 amendments through 2025 and 2026 reshape software supply chain expectations for regulated financial institutions.
CI/CD platforms have become high-value supply chain targets. We analyze 2026 attack trends, including runner abuse, action poisoning, and OIDC token theft.
Prompt injection started as a research curiosity. In 2026 it is a regular line item on bug bounty leaderboards, with payout norms, scope definitions, and a maturing triage culture.
Two dozen AI guardrail vendors in 2023. A much smaller set in 2026. The consolidation has pattern — integrated platforms beat standalone guardrails.
Weekly insights on software supply chain security, delivered to your inbox.