Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
The first quarter of 2025 saw a sharp increase in npm supply chain attacks. We catalog the major incidents and analyze the evolving techniques.
A field-tested board-level metrics framework for supply chain security, covering MTTR, reachable risk, SBOM coverage, and vendor posture with dollar-tied targets.
PyPI faced a surge of malicious package uploads in early 2025, targeting data science, AI/ML, and cloud development workflows. Here's the full picture.
Oracle's February 2025 Critical Control Baseline for critical infrastructure customers reshapes SCRM obligations. Here's what legal and security teams must know.
Kaspersky discovered a Chrome zero-day being exploited in a targeted espionage campaign dubbed Operation ForumTroll. The flaw broke Chrome's sandbox with no user interaction beyond clicking a link.
A critical flaw in Next.js allowed attackers to bypass middleware-based authorization by setting a single HTTP header. Applications relying on middleware for auth checks were completely exposed.
Scattered Spider adapted its tactics in 2025, moving beyond casino hacks to target retail, healthcare, and manufacturing with increasingly sophisticated social engineering.
How Intel TDX, AMD SEV-SNP, and AWS Nitro enclaves plug into build and signing pipelines, with attestation flows and operational tradeoffs.
The CISA Known Exploited Vulnerabilities catalog has become the definitive list of actively exploited flaws. An analysis of 2025 KEV trends reveals which products, vulnerability types, and attack patterns dominate.
Weekly insights on software supply chain security, delivered to your inbox.