Incident Analysis
XZ Utils Backdoor: One Year Retrospective
A year after the XZ Utils backdoor was caught by Andres Freund at Microsoft, what did we fix, what did we ignore, and what still gets packaged into Linux distros?
Mar 1, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A year after the XZ Utils backdoor was caught by Andres Freund at Microsoft, what did we fix, what did we ignore, and what still gets packaged into Linux distros?
Cloudflare Workers collapse the build, deploy, and runtime into one surface. That changes the supply chain threat model in ways most teams underestimate.
Stop chasing phantom vulnerabilities. Learn how reachability analysis reduces CVE noise by 80% and focuses remediation on what actually matters.
Autonomous coding agents can escalate privilege in subtle ways that traditional threat models miss. A breakdown of the common escalation paths and how to constrain them.
GitHub Copilot suggests fixes. Griffin AI generates fix PRs with taint paths and disproof attached. The difference is review burden.
Evals that run once are marketing. Evals that run on every build are infrastructure. Griffin AI runs the harness on every change; Mythos does not describe one.
Race conditions are the hardest class of vulnerabilities for static analysis. Specific architectural capabilities separate tools that find them from tools that claim to.
NIST finalized ML-KEM, ML-DSA, and SLH-DSA in 2024. Here's what it means for Sigstore, package registry signing, TLS, and the harvest-now-decrypt-later problem.
A practical guide to how Safeguard.sh works with managed security service providers — including the partners under exploratory discussion.
Weekly insights on software supply chain security, delivered to your inbox.