Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Marak Squires deliberately broke two of npm's most popular packages to protest the exploitation of open source maintainers. The fallout exposed how fragile our dependency chains really are.
The node-ipc package was deliberately sabotaged by its maintainer to protest the Russia-Ukraine conflict, wiping files on systems with Russian or Belarusian IP addresses. A watershed moment for supply chain trust.
An npm package with 8 million weekly downloads shipped a cryptominer and credential stealer for four hours. Here is the exact sequence of events.
The maintainer of colors and faker deliberately corrupted his own packages, affecting thousands of projects. It raised uncomfortable questions about open source sustainability and trust.
Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.
Attackers hijacked the ua-parser-js npm package account and published malicious versions containing cryptominers and password stealers. The package gets 8 million downloads per week.
Alex Birsan's research showed how internal package names can be exploited to inject malicious code into corporate build systems. Here's how the attack works and how to defend against it.
The 2018 event-stream incident was npm's first high-profile maintainer-handoff attack. The details still shape how we evaluate package trust.
Weekly insights on software supply chain security, delivered to your inbox.