DUBLIN, Calif. — July 6, 2026 — Safeguard today introduced two supply-chain security capabilities: an install-time Package Firewall that blocks malicious open-source packages before they resolve into a project, and AI model-artifact scanning that inspects model weights for malware and unsafe deserialization before they load — now with support for the ONNX format. Both capabilities are tenant-scoped, audit-logged, administrator-toggleable, and emit into Safeguard's unified findings model alongside the company's existing scanning and reasoning engines.
The two launches target the same underlying problem from opposite ends of the software supply chain: attacker-controlled code that executes the moment it enters an environment — whether it arrives as a dependency during installation or as a model checkpoint on its way to inference.
Package Firewall: prevention at install time
The Package Firewall operates as an install-time proxy in front of the npm and pip package managers, inspecting each resolution before it reaches a project's dependency tree. It blocks three classes of attack inline: typosquats, dependency and namespace confusion, and known-malicious packages identified in the advisory ecosystem.
A non-executing behavioral analyzer examines package contents — install scripts, entry points, and manifest metadata — without executing them, so that blocking a hostile package never requires running its code. The firewall supports two operating modes: an audit mode that records what would have been blocked without interrupting installs, and a quarantine mode that holds suspicious packages out of resolution and routes them to review. An auto-release loop clears quarantined packages once they are vetted, without a manual re-run. Every decision is written to a tenant-scoped audit log.
AI model-artifact scanning: catching malware before weights load
Safeguard's AI security posture management (AI-SPM) scanning treats a model file as a supply-chain artifact, inspecting it for malware and unsafe deserialization before it reaches the inference plane. Coverage includes pickle-based formats via opcode disassembly (CWE-502, CWE-94), PyTorch torch-zip archives, and validation of the safetensors and GGUF formats.
The capability now adds ONNX scanning, detecting two ONNX-specific risks: custom operators capable of introducing arbitrary code into a model graph (CWE-94), and external-data path escape, in which a model references data files through paths that traverse outside the intended directory (CWE-22).
Part of a unified platform
Both capabilities feed the same unified, tenant-isolated findings model used by Safeguard's other engines — including first-party SAST and DAST, defensive red-team and breach-and-attack simulation gated by a signed rules-of-engagement safety kernel, runtime and CNAPP correlation, DSPM data classification, AutoTriage noise reduction, function-level reachability, and proof-based verification. New engines are rolled out behind feature flags.
"Attackers get their code into a stack one of two ways — a poisoned package on the way in, or a poisoned model on its way to inference," said Hritik Kumar Sharma, Founder and CEO of Safeguard. "Both of today's capabilities are prevention at the point of entry, not a report after the fact. We stop the malicious dependency before it resolves and the malicious weight before it loads, and both land in the same findings model as everything else, so a team sees one prioritized picture instead of another siloed alert stream."
Availability
The Package Firewall and AI model-artifact scanning, including ONNX support, are available now to Safeguard customers, tenant-scoped and administrator-toggleable. The Package Firewall can be enabled in audit mode before enforcement.
About Safeguard
Safeguard is the software supply chain security platform that fuses multiple scanners, a security-only AI model lineup (Griffin · Eagle · Lion), and reachability-aware reasoning to find what pattern scanners miss — from CVEs to candidate zero-days — and to ship the fix with cited reasoning. Learn more at https://safeguard.sh.