Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A practical incident response playbook tailored for supply chain compromises — from initial detection through containment, eradication, and lessons learned.
Dependency confusion still works in 2026 because teams keep missing the same three controls. Here's how to detect and block it in npm, pip, and Maven.
`--ignore-scripts` is the blunt fix that breaks node-sass and better-sqlite3. Here is the surgical version that keeps builds green and postinstalls contained.
We propose a kill chain framework specific to software supply chain attacks, mapping attacker techniques to defensive controls at each stage.
Volt Typhoon is pre-positioning inside U.S. critical infrastructure using living-off-the-land tradecraft and third-party access. Here is what defenders should do about it.
Midnight Blizzard (APT29, Cozy Bear) has refined long-dwell supply chain access into an operational art. Here is what their 2023-2025 pattern looks like to defenders.
A concrete, timed playbook for the 72 hours after a critical dependency advisory — inventory, reachability, containment, remediation, and retrospective.
DPRK operatives have placed themselves inside Western companies as remote developers. Here is how that pattern functions as a supply chain threat and how to detect it.
Pickle deserialization, malicious Spaces, and namespace squatting: what 2024-2025 taught us about the Hugging Face model supply chain.
Weekly insights on software supply chain security, delivered to your inbox.