Open Source Security
npm Package Takeover: The Summer 2024 Wave
Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.
Jun 20, 20245 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.
A senior engineer's assessment of Infisical as a self-hostable secrets platform, covering architecture, operational posture, and where it fits in 2024.
Sonatype made several Maven Central changes in 2024 that materially affected the Java supply chain. A rundown of what changed, who was affected, and what Java teams should do.
Six months after the OSS Pledge launch, adoption is climbing but uneven. Who signed, who followed through with funding, and what the pledge has actually shifted in open-source economics.
As open source AI models proliferate, their security implications extend far beyond traditional software vulnerabilities. Model poisoning, supply chain tampering, and unsafe deserialization create new attack surfaces.
How to contribute to open-source projects without introducing security vulnerabilities, and how to evaluate the security posture of projects you contribute to.
The xz-utils backdoor (CVE-2024-3094) nearly compromised SSH on every modern Linux distro. Here is how the implant worked and what it teaches us.
How Netflix manages security across hundreds of open-source projects and thousands of internal dependencies while maintaining the velocity that streaming demands.
A heap buffer overflow in curl's SOCKS5 proxy handshake earned a severity rating of HIGH from curl's creator Daniel Stenberg, who called it the worst curl flaw in a long time.
Weekly insights on software supply chain security, delivered to your inbox.