Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
When an npm package looks suspicious, you need a systematic approach to determine if it is malicious. These analysis techniques separate noise from genuine threats.
A fundamental flaw in npm's package handling allowed published package metadata to differ from actual package contents, undermining trust in the entire ecosystem.
Lock files are your first line of defense against dependency drift. This guide explains how package-lock.json, yarn.lock, and similar files protect your builds from supply chain manipulation.
Each package manager has its own security model, attack surface, and best practices. This guide compares npm, pip, and Maven from a supply chain security perspective.
From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. Here's what changed.
A thorough walkthrough of securing your JavaScript dependency tree, from lockfile hygiene to automated auditing and runtime protections.
Lockfile injection is a subtle supply chain attack where malicious changes to package-lock.json redirect dependency resolution to attacker-controlled packages. Here is how it works and how to detect it.
The first quarter of 2022 saw a surge in npm malware — from protestware to dependency confusion to credential-stealing packages. Here's a roundup of the most significant incidents and emerging trends.
Marak Squires deliberately broke two of npm's most popular packages to protest the exploitation of open source maintainers. The fallout exposed how fragile our dependency chains really are.
Weekly insights on software supply chain security, delivered to your inbox.