Open Source Security
An npm Incident Response Playbook
When an npm package in your dependency graph is compromised at midnight, you need a playbook, not a brainstorm. Here is the one I wrote after three real incidents.
Nov 28, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
When an npm package in your dependency graph is compromised at midnight, you need a playbook, not a brainstorm. Here is the one I wrote after three real incidents.
Mailchimp disclosed three social-engineering-driven intrusions in thirteen months; the timeline illustrates how repeated incidents shape vendor trust.
23 NYCRR Part 500 was amended in 2023 with stronger third-party and vulnerability management language. For covered financial entities, SBOM practice has quietly become a compliance expectation.
Zero trust is not just a network architecture concept. Applied to the software supply chain, it fundamentally changes how organizations verify code, dependencies, and build processes.
Supply chain observability in Azure is not missing telemetry — it is missing the right queries. A walk through the Azure Monitor data sources that actually answer the hard questions.
NIST CSF 2.0 added the Govern function, broadened the target audience, and clarified supply chain expectations. Field observations from the first year of adoption.
NuGet supports signed packages — author signatures, repository signatures, and verification modes. A practical guide to enforcing it properly.
A practical senior engineer's playbook for rotating secrets across microservices without downtime, drift, or the quiet credential leaks that come from half-done cutovers.
FIN7 has spent a decade evolving from POS malware to supply chain operations. A look at the current tradecraft and the implications for financial-sector defenders.
Weekly insights on software supply chain security, delivered to your inbox.