Supply Chain Attacks
npm Slopsquat: The Hallucinated Package Risk in 2026
Slopsquatting is the practice of registering package names that LLMs hallucinate, turning AI coding assistants into an accidental distribution channel.
Feb 18, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Slopsquatting is the practice of registering package names that LLMs hallucinate, turning AI coding assistants into an accidental distribution channel.
February 2026 at Safeguard.sh: Lino behavioral baselines, Eagle base image advisories, Griffin reachability for Rust, and a new workflow editor.
YAML's type system allows object instantiation during parsing. In many languages, this means a YAML file can execute arbitrary code.
A practical walkthrough of what NIST Secure Software Development Framework audits look like in 2026, where evidence gaps show up, and how to prepare without burning out engineering.
Function calling gives models the ability to act. Acting safely on behalf of a specific user, in a specific context, within specific policy is a different problem.
LLM selection is ultimately a cost-quality optimisation under workflow constraints. The curve is not smooth, and the right point on it depends on where errors land in your pipeline.
The Black Basta chat leak gave defenders a rare inside view of how a ransomware program operates. Here are the durable engineering lessons to take from it.
NuGet package signing has quietly become one of the stricter supply chain stories in mainstream ecosystems. Here is what .NET teams actually need to know.
A function whose output space is finite and enumerable can be secured by testing. A function whose output space is every string of tokens up to some length cannot. That difference quietly invalidates most classical security contracts.
Weekly insights on software supply chain security, delivered to your inbox.