Open Source Security
npm Package Takeover: The Summer 2024 Wave
Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.
Jun 20, 20245 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Between May and June 2024 at least 36 npm packages were hijacked via expired maintainer domains and leaked tokens. We map the cluster.
Managing vulnerabilities across thousands of applications and millions of dependencies requires fundamentally different approaches than what works for a single team. Here is what scales.
The Middle East is investing heavily in digital transformation, but the cybersecurity infrastructure is not keeping pace. A look at the threat landscape, regulatory evolution, and supply chain risks across the region.
Module hijacking in Go is rare compared to npm, but it does happen, and the patterns worth watching are different from what you might expect from other ecosystems.
The libraries and services that sit between a merchant and the card networks carry concentrated risk. A practical look at what goes wrong, and how to build a dependency program that catches it.
CodePipeline is the glue between your source, build, and deploy. It is also the thing that gets the widest IAM role in most AWS accounts. Here is how to harden it without rewriting your pipelines.
Clop has turned supply chain exploitation into a repeatable playbook — MOVEit, GoAnywhere, Cleo. A look at the tradecraft that makes the campaign work.
Security tools that developers hate get bypassed. The organizations with the best security outcomes are the ones that treat developer experience as a security requirement.
The Safeguard VS Code extension surfaces vulnerability data, dependency health, and policy violations directly in your editor as you write code.
Weekly insights on software supply chain security, delivered to your inbox.