RSS Parrot

BETA

🦜 SafeDep’s Blog

@safedep.io@rss-parrot.net

I'm an automated parrot! I relay a website's RSS feed to the Fediverse. Every time a new post appears in the feed, I toot about it. Follow me to get all new posts in your Mastodon timeline! Brought to you by the RSS Parrot.

---

SafeDep continuously scans packages published in npm, PyPI, RubyGems, and more for malicious code, protecting software development teams at different stages of the software supply chain.

Your feed and you don't want it here? Just e-mail the birb.

Site URL: safedep.io

Feed URL: safedep.io/rss.xml

Posts: 86

Followers: 1

node-env-resolve: npm Package Installs a Full RAT

https://safedep.io/malicious-npm-node-env-resolve-rat

Published: May 3, 2026 10:00

node-env-resolve is a malicious npm package that installs a full-featured remote access trojan on developer machines. The RAT streams screens, captures audio, steals browser history, and gives full mouse and keyboard control to a remote operator. The…

exiouss: Cookie Stealer Bundled in npm Exam Cheat

https://safedep.io/malicious-exiouss-npm-exam-cheating-tool

Published: May 1, 2026 00:00

exiouss on npm is the latest package from the loltestpad campaign — the same attacker who published the ixpresso-core Windows RAT in April. It bundles a dormant ChatGPT cookie stealer alongside an AI exam cheating tool, targeting students who willingly run…

PyTorch Lightning Compromised: Shai-Hulud Worm Reaches PyPI

https://safedep.io/malicious-pytorch-lightning-pypi-compromise

Published: April 30, 2026 12:00

PyPI yanked PyTorch Lightning versions 2.6.2 and 2.6.3 after both embedded a two-stage credential-stealing payload. Any import of the library spawns an 11MB obfuscated JavaScript worm identical to the Shai-Hulud payload seen in the April 29 SAP npm…

Mini Shai Hulud and SAP Compromise

https://safedep.io/mini-shai-hulud-and-sap-compromise

Published: April 29, 2026 14:00

Four SAP npm packages published on April 29, 2026 contain a two-stage credential-stealing payload targeting GitHub tokens, AWS keys, and CI/CD pipelines. The packages share SAP-affiliated maintainers, pointing to a publisher account compromise.

Malicious redeem-onchain-sdk npm Targets Crypto Wallets

https://safedep.io/redeem-onchain-sdk-polymarket-npm-malware

Published: April 29, 2026 13:00

redeem-onchain-sdk impersonates a Polymarket helper SDK and exfiltrates SSH keys, AWS credentials, npm tokens, Docker configs, Chrome saved logins, and a month of local git history to an AWS-hosted C2. The payload was shipped dormant for nearly a month,…

Bitwarden CLI Supply Chain Compromise

https://safedep.io/bitwarden-cli-supply-chain-compromise

Published: April 24, 2026 00:00

A technical writeup of the malicious `@bitwarden/cli@2026.4.0` release linked to the Checkmarx campaign. Covers the poisoned publish path, loader changes, credential theft, GitHub abuse, and responder takeaways.

Malicious Pull Requests: A Threat Model

https://safedep.io/malicious-pull-requests-threat-model

Published: April 22, 2026 00:00

A compact threat model of the malicious pull request as a supply chain attack primitive against GitHub Actions: attacker, goals, assets, controllable surface, and an attack vector taxonomy (V1 through V8).

ixpresso-core: Windows RAT Disguised as a WhatsApp Agent

https://safedep.io/malicious-ixpresso-core-npm-rat

Published: April 16, 2026 00:00

ixpresso-core poses as an AI WhatsApp agent on npm but installs Veltrix, a Windows RAT that steals browser credentials, Discord tokens, and keystrokes via a hardcoded Discord webhook.

PMG dependency cooldown: wait on fresh npm versions

https://safedep.io/pmg-dependency-cooldown

Published: April 16, 2026 00:00

Package Manager Guard (PMG) blocks malicious installs and now supports dependency cooldown, a configurable window that hides brand-new npm versions during resolution so installs prefer older, already-visible releases.

forge-jsx npm Package: Purpose-Built Multi-Platform RAT

https://safedep.io/malicious-forge-jsx-npm-rat

Published: April 15, 2026 17:36

forge-jsx poses as an Autodesk Forge SDK on npm. On install it deploys a system-wide keylogger, recursive .env file scanner, shell history exfiltrator, and a WebSocket-based remote filesystem backdoor to C2 at 204.10.194.247, with persistence via systemd,…

Malicious npm Package js-logger-pack Ships a Multi-Platform WebSocket Stealer

https://safedep.io/malicious-js-logger-pack-npm-stealer

Published: April 15, 2026 12:00

js-logger-pack spent three weeks on npm evolving from a probe into a full infostealer and then a binary dropper. Early versions installed an SSH backdoor, hijacked Telegram sessions, drained 27 crypto wallets, and deployed a cross-platform keylogger. After…

Malicious dom-utils-lite npm SSH Backdoor via Supabase

https://safedep.io/malicious-dom-utils-lite-npm-ssh-backdoor

Published: April 14, 2026 12:00

dom-utils-lite and centralogger on npm inject attacker SSH keys into ~/.ssh/authorized_keys and exfiltrate server metadata to Supabase-hosted C2 infrastructure, granting persistent remote access.

Malicious npm Dependency Confusion Campaign Targets Genoma UI and Others

https://safedep.io/malicious-genoma-ui-npm-dependency-confusion-campaign

Published: April 10, 2026 07:15

A dependency confusion campaign by npm user victim59 targets at least three organizations through scoped packages @genoma-ui/components, @needl-ai/common, and rrweb-v1. The packages use install hooks to beacon system reconnaissance data to a DigitalOcean…

big.js Typosquat Campaign Implants SSH Backdoors

https://safedep.io/malicious-sjs-biginteger-npm-ssh-theft

Published: April 9, 2026 12:00

Three waves of big.js typosquats (sjs-biginteger, bjs-biginteger, cjs-biginteger) from throwaway npm accounts implant SSH backdoors and exfiltrate credentials to Cloudflare-disguised C2 infrastructure.

@fairwords npm Packages Hit by Credential Worm

https://safedep.io/malicious-fairwords-npm-credential-worm

Published: April 8, 2026 03:30

Three @fairwords npm packages were compromised with a self-propagating worm that harvests credentials, crypto wallets, Chrome passwords, and spreads to other packages using stolen npm tokens.

Malicious @velora-dex/sdk Delivers Go RAT via npm

https://safedep.io/malicious-velora-dex-sdk-npm-compromised-rat

Published: April 8, 2026 01:53

Version 9.4.1 of @velora-dex/sdk, a DeFi SDK with ~2,000 weekly downloads, was compromised to deliver a Go-based remote access trojan (minirat) targeting macOS developers.

prt-scan: A 5-Phase GitHub Actions Credential Theft Campaign

https://safedep.io/prt-scan-github-actions-exfiltration-campaign

Published: April 3, 2026 18:30

A throwaway GitHub account submitted 219+ malicious pull requests in a single day, each carrying a 352-line payload that steals CI secrets, injects workflows, bypasses label gates, and scans /proc for credentials. Five payload variants target GitHub…

Thirty-Six Malicious npm Strapi Packages Deploy Redis RCE, Database Theft, and Persistent C2

https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent

Published: April 3, 2026 12:00

A coordinated campaign of thirty-six malicious npm packages published by four sock-puppet accounts (umarbek1233, kekylf12, tikeqemif26, and umar_bektembiev1) targets Strapi CMS deployments with eight distinct payloads evolving from Redis RCE exploitation…

Compromised npm Package mgc Deploys Multi-Platform RAT

https://safedep.io/malicious-npm-mgc-compromised-rat

Published: April 3, 2026 00:00

The npm package mgc was compromised via account takeover, with four malicious versions published in rapid succession deploying a full Remote Access Trojan targeting macOS, Windows, and Linux.

Malicious npm Package express-session-js Drops Full RAT Payload

https://safedep.io/malicious-npm-package-express-session-js

Published: April 2, 2026 00:00

A malicious npm package typosquatting express-session fetches and executes a full Remote Access Trojan from a paste service, targeting browser credentials, crypto wallets, SSH keys, and more.

axios Compromised: npm Supply Chain Attack via Dependency Injection

https://safedep.io/axios-npm-supply-chain-compromise

Published: March 31, 2026 02:26

axios 1.14.1 was published to npm via a compromised maintainer account, injecting a trojanized dependency that executes a multi-platform reverse shell on install. No source code changes in axios itself, just a new entry in package.json.

Compromised telnyx on PyPI: WAV Steganography and Credential Theft

https://safedep.io/malicious-telnyx-pypi-compromise

Published: March 27, 2026 00:00

Analysis of malicious telnyx 4.87.1 and 4.87.2 on PyPI — a package with over 1 million monthly downloads: injected code uses WAV audio steganography to deliver payloads that steal credentials and establish persistence. Attributed to TeamPCP.

sl4x0 Dependency Confusion: 92 Packages Target Fortune 500

https://safedep.io/sl4x0-dependency-confusion-campaign

Published: March 24, 2026 00:00

A sustained dependency confusion campaign by the sl4x0 actor likely targets 20+ organizations including Adobe, Ford, Sony, and Coca-Cola with 92+ malicious npm packages exfiltrating developer data via DNS.

Malicious litellm 1.82.8: Credential Theft and Persistent Backdoor

https://safedep.io/malicious-litellm-1-82-8-analysis

Published: March 24, 2026 00:00

Analysis of compromised litellm 1.82.8 on PyPI: a .pth file triggers credential theft, AWS/K8s secret exfiltration, and persistent C2 backdoor on install.

Trivy Supply Chain Compromise: What Happened, What Was Stolen, and How to Respond

https://safedep.io/trivy-teampcp-supply-chain-compromise

Published: March 23, 2026 00:00

A consolidated technical reference for the TeamPCP supply chain attack against Aqua Security's Trivy scanner. Covers the full attack chain from AI-assisted initial breach through credential theft, GitHub Actions tag poisoning, a self-propagating npm worm,…

Malicious npm Package react-refresh-update Drops Cross-Platform Trojan on Developer Machines

https://safedep.io/malicious-npm-react-refresh-update

Published: March 16, 2026 00:00

A malicious npm package impersonating react-refresh, Meta's library with 42 million weekly downloads, was detected by SafeDep. The package injects a two-layer obfuscated dropper into runtime.js that silently fetches and executes a platform-specific…

How to Write Time-Based Security Policies in SafeDep vet

https://safedep.io/writing-time-based-policies-in-vet-cel

Published: March 10, 2026 00:00

Protect against unknown malicious open source packages by enforcing a supply chain cooling-off period using the now() CEL function in SafeDep vet.

Threat Modeling the AI-Native SDLC: Supply Chain Security in the Age of Coding Agents

https://safedep.io/ai-native-sdlc-supply-chain-threat-model

Published: March 9, 2026 00:00

AI agents are rewriting the software development lifecycle. From vibe coding to autonomous CI/CD, every phase now involves an LLM making decisions about your code and dependencies. Here is a threat model for the AI-native SDLC from a supply chain security…

Malicious npm Package pino-sdk-v2 Exfiltrates Secrets to Discord

https://safedep.io/malicious-npm-package-pino-sdk-v2-env-exfiltration

Published: March 6, 2026 00:00

A malicious npm package impersonating the popular pino logger was detected by SafeDep. The package hides obfuscated code inside a legitimate library file to steal environment secrets and send them to a Discord webhook.

Gryph: Audit Trail for AI Coding Agents

https://safedep.io/gryph-ai-agent-audit-trail

Published: March 4, 2026 00:00

AI coding agents operate with broad access to your codebase, credentials, and shell. Gryph logs every action they take to a local SQLite database, making agent behavior visible, queryable, and auditable.

Integrate SafeDep MCP in GitHub Agentic Workflow

https://safedep.io/safedep-mcp-in-github-agentic-workflow

Published: February 27, 2026 00:00

Learn how to integrate SafeDep MCP with GitHub Agentic Workflows to automatically evaluate the security posture of OSS dependencies in your pull requests using AI.

Shadow AI Discovery: Find Every AI Tool and SDK in Your Stack

https://safedep.io/shadow-ai-discovery-vet

Published: February 27, 2026 00:00

AI tools and SDKs are spreading across developer environments faster than security teams can track. vet discovers agents, MCP servers, extensions, and AI SDK usage in code. Open source, local, one CLI.

Malicious npm Packages Target Schedaero via Dependency Confusion

https://safedep.io/schedaero-dependency-confusion-attack

Published: February 25, 2026 00:00

A detailed analysis of a dependency confusion supply chain attack likely targeting Schedaero, a leading aviation software company. We dissect the payload, the exfiltration mechanism, and the indicators of compromise.

npm SANDWORM_MODE Attack: Step-by-Step Malware Analysis

https://safedep.io/npm-sandworm-mode-supply-chain-attack

Published: February 21, 2026 00:00

Step-by-step technical analysis of the SANDWORM_MODE npm supply chain attack. We dissect yarsg and format-defaults malicious packages, decode multi-layer obfuscation, and trace the payload delivery chain.

AI Agent Cline v2.3.0 Compromised: From Prompt Injection to Unauthorized npm Publish

https://safedep.io/cline-cli-compromised

Published: February 18, 2026 00:00

A compromised npm token was used to publish a tampered version of Cline CLI. A prompt injection vulnerability in Cline's AI-powered GitHub Actions workflow may have enabled the credential theft.

Why We Built a Hosted MCP Server to Stop Malicious Packages for AI Agents

https://safedep.io/why-we-built-a-hosted-mcp-server-for-ai-coding-agents

Published: February 16, 2026 00:00

Exposing an MCP server is trivial. Making it useful for AI agents is not. Here's what we learned dogfooding our own tool, and why we built a hosted MCP server backed by real-time open source threat intelligence.

End-to-End test with Nextjs, Playwright and MSW

https://safedep.io/end-to-end-test-nextjs-msw-playwright

Published: February 3, 2026 08:59

A practical Next.js 16 App Router E2E setup with Playwright and MSW that keeps server-side fetch deterministic by focusing mocking where it matters, not on server actions.

Agent Skills Threat Model

https://safedep.io/agent-skills-threat-model

Published: January 23, 2026 10:45

Discover critical security threats in Agent Skills - Anthropic's open format for AI agent capabilities. Learn about supply chain attacks, deferred code execution, prompt injection, and multiple attack vectors. Essential reading for developers and security…

The State of MCP Registries

https://safedep.io/the-state-of-mcp-registries

Published: December 20, 2025 00:00

Explore the architecture of the Model Context Protocol (MCP) and the state of its official registry. Learn how to consume server packages programmatically and discover the underlying challenges of data duplication and security in the current meta-registry…

DarkGPT: Malicious Visual Studio Code Extension Targeting Developers

https://safedep.io/dark-gpt-vscode-malicious-extension

Published: December 10, 2025 00:00

Malicious extensions are lurking in the Visual Studio Code marketplace. In this case, we discover and analyze DarkGPT, a Visual Studio Code extension that exploits DLL hijacking to load malicious code through a signed Windows executable.

Unpacking CVE-2025-55182: React Server Components RCE Exploit Deep Dive and SBOM-Driven Identification

https://safedep.io/react-server-nextjs-critical-vulnerability-find-and-fix-with-sbom

Published: December 4, 2025 10:45

A critical pre-authenticated remote code execution vulnerability (CVE-2025-55182) was disclosed in React Server Components, affecting Next.js applications using the App Router. Learn about the technical details of this prototype pollution vulnerability,…

Shai-Hulud 2.0 npm Supply Chain Attack Technical Analysis

https://safedep.io/shai-hulud-second-coming-supply-chain-attack

Published: November 24, 2025 10:45

Critical npm supply chain attack compromises zapier-sdk, @asyncapi, posthog, and @postman packages with self-replicating malware. Technical analysis reveals credential harvesting, GitHub Actions exploitation, and worm-like propagation affecting 25,000+…

An Opinionated Approach for Frontend Testing for Startups

https://safedep.io/frontend-testing-guide

Published: October 28, 2025 09:15

How we test our Frontend applications powered by React Query and server components with Vitest.

Curious Case of Embedded Executable in a Newly Introduced Transitive Dependency

https://safedep.io/curious-case-of-dependency-change-with-embedded-binary-stringish

Published: October 27, 2025 00:00

A routine dependency upgrade introduced a suspicious transitive dependency with an embedded executable. While manual analysis confirmed it wasn't malicious, this incident highlights the implicit trust we place in open source code and how attackers exploit…

Malicious npm Packages Impersonating Hyatt Internal Dependencies

https://safedep.io/malicious-npm-packages-hyatt-campaign

Published: October 23, 2025 00:00

Three malicious npm packages disguised as Hyatt internal dependencies were discovered using install hooks to execute malicious payloads. All packages share identical attack patterns and infrastructure.

Contributing to SafeDep Open Source Projects during Hacktoberfest 2025

https://safedep.io/hacktoberfest-safedep-2025

Published: October 6, 2025 00:00

Learn how to contribute to SafeDep open source projects during Hacktoberfest 2025 and help secure the open source software supply chain.

Ship Code. Not Malware. SafeDep Launches GitHub App for Malicious Package Protection

https://safedep.io/ship-code-not-malware-safedep-launches-github-app

Published: September 25, 2025 08:00

SafeDep launches a GitHub App for zero-configuration protection against malicious open source packages. Instantly scan pull requests and keep your code repositories safe from supply chain attacks.

Shai-Hulud Supply Chain Attack Incident Response

https://safedep.io/shai-hulud-supply-chain-attack-response

Published: September 22, 2025 12:00

The Shai-Hulud supply chain attack is a major incident targeting developers through malicious packages in the npm ecosystem. This post outlines the incident response steps that can be taken to contain and mitigate the impact of this attack.

Diff-based SCA with AI is Broken — Real Examples from Pipfile.lock, yarn.lock, and Cargo.lock

https://safedep.io/pitfalls-of-diff-based-sca-scanners

Published: September 19, 2025 00:00

Diff-based Software Composition Analysis (SCA) scanners in pull requests are prone to blind spots. By relying only on git diff data, they miss package context, suffer from nondeterministic rearrangements, and can be trivially bypassed—leaving…

npm Supply Chain Attack Exposes Private Repositories, AWS Credentials and More

https://safedep.io/npm-supply-chain-attack-targeting-maintainers

Published: September 16, 2025 16:00

npm supply chain attacks continue. This time targeting @ctrl/tinycolor and multiple other packages with credential stealer malware. In this blog, we will analyze the attack and its impact on the npm ecosystem. We will also look at common attack patterns…

npm Supply Chain Attack: Multiple Popular Packages Hijacked (1B+ Weekly Downloads)

https://safedep.io/multiple-npm-packages-compromised-billion-downloads

Published: September 8, 2025 16:00

Complete analysis of sophisticated crypto wallet drainer found in 21 npm packages with over one billion weekly downloads. Includes detailed technical breakdown of 76KB malware payload disguised in has-ansi@6.0.1 and multi-stage attack architecture.

nx Build System Compromised Targeting Linux and MacOS developers

https://safedep.io/nx-build-system-compromise

Published: August 27, 2025 00:00

The popular npm package `nx` was compromised, targeting Linux and macOS developers. Malicious versions included a postinstall script that stole credentials, exfiltrated sensitive files, and added destructive commands to shell configs, causing system…

Multiple Malicious Python Packages Targeting Bittensor Crypto Developers

https://safedep.io/malicious-python-packages-target-crypto-developers

Published: August 12, 2025 00:00

Multiple malicious Python packages targeting crypto developers and their applications using typosquatting were discovered on PyPI. The packages were used to steal funds by executing a stealthy staking operation.

Security Risks in PEP 723 and uv: Inline Metadata Gone Wrong?

https://safedep.io/pep-723-inline-metadata-security

Published: August 1, 2025 00:00

PEP 723 introduces inline metadata for Python scripts, making tools like `uv` more convenient—but also potentially more dangerous. This post explores security pitfalls when dependencies are declared inside code files.

Secure Vibe Coding with AI Agents

https://safedep.io/vibe-coding-without-getting-pwned

Published: July 25, 2025 00:00

AI coding agents make development faster but can inadvertently introduce security risks by suggesting unvetted packages. Learn how to use vet MCP server for adding security to your vibe coding adventures.

eslint-config-prettier Compromised: How npm Package with 30 Million Downloads Spread Malware

https://safedep.io/eslint-config-prettier-major-npm-supply-chain-hack

Published: July 21, 2025 00:00

A supply chain attack exploiting eslint-config-prettier and other popular npm packages were discovered with major supply chain impact. In this blog, we will explore the details of the hack and the impact it had on the npm ecosystem.

SBOM Completeness with Direct & Transitive Dependencies

https://safedep.io/sbom-direct-transitive-deps

Published: July 5, 2025 00:00

Hidden transitive dependencies create security blind spots. This blog shows developers and CISOs how SafeDep vet uncovers full Maven dependency graphs, generating CycloneDX SBOMs and compliance-ready visuals.

SBOM and the EU Cyber Resilience Act (CRA) – What Software Vendors Need to Know

https://safedep.io/sbom-and-eu-cra-cyber-resilience-act

Published: June 13, 2025 17:58

The EU Cyber Resilience Act makes SBOMs mandatory for software products sold in Europe starting December 2027, with fines up to €15 million for non-compliance. Here's what software vendors need to know and how to prepare.

Introducing SafeDep Model Context Protocol (MCP) Server to Secure AI Generated Code

https://safedep.io/introducing-vet-mcp-server

Published: June 6, 2025 00:00

Introducing SafeDep Model Context Protocol (MCP) Server, a new feature in SafeDep vet to secure AI generated code and protect against slopsquatting attacks, vulnerable and malicious packages.

License Compliance with SBOM

https://safedep.io/license-compliance-with-sbom

Published: June 5, 2025 00:00

Although open-source speeds up development, there are risks associated with licensing. This blog examines the ways in which Software Bills of Materials, or SBOMs, facilitate audits, enforce license compliance, and identify infractions early. Discover how…

Introducing Container Image Scanning

https://safedep.io/introducing-container-scanning

Published: June 3, 2025 00:00

Introducing Container Image Scanning, a new feature in vet to identify vulnerabilities and malicious packages in container images.

Software Bill of Materials: Foundation for Trust in Software Supply Chain

https://safedep.io/software-bill-of-materials-sbom

Published: June 1, 2025 00:00

Modern software rarely ships as a single, hand-crafted binary. Instead, it is assembled from hundreds, sometimes thousands of third-party components that evolve on their own schedule. Knowing exactly what went into an application is now a basic security…

Catching the Silent Threat: How Dynamic Analysis Revealed a Complex npm Attack Chain

https://safedep.io/digging-into-dynamic-malware-analysis-signals

Published: May 19, 2025 00:00

Explore how analyzing runtime behaviors using Dynamic Analysis data helps uncover abnormal activities in open source packages. By examining network connections and unusual binary executions during package installation, we identify potential malicious…

Introducing Package Manager Guard (PMG)

https://safedep.io/introducing-package-manager-guard

Published: May 15, 2025 00:00

Introducing Package Manager Guard (PMG), a new tool to protect developers from malicious packages at the time of installation. Seamless integration with popular package managers like npm, pnpm etc.

Dynamic Malware Analysis of Open Source Packages at Scale

https://safedep.io/dynamic-analysis-oss-package-at-scale

Published: May 1, 2025 00:00

Exploring the idea of building a complementary system that can verify and correlate static analysis findings. Thats where dynamic analysis comes in ie. the ability to "run" an open source package in an observed environment and determine its safety status…

Malicious npm Package Impersonating Popular Express Cookie Parser

https://safedep.io/malicious-npm-package-express-cookie-parser

Published: April 23, 2025 00:00

A malicious npm package impersonating the popular Express cookie parser package was discovered by SafeDep Cloud malicious package scanning service.

Announcing DefectDojo Integration

https://safedep.io/vet-defect-dojo-integration

Published: April 14, 2025 00:00

Introducing DefectDojo Integration allowing vet users to export scan results to DefectDojo. Continue leveraging DefectDojo for your vulnerability management while using vet for identifying vulnerable and malicious open source packages.

Analysis of 5000+ Malicious Open Source Packages

https://safedep.io/malysis-evaluation-using-datadog-malicious-packages-dataset

Published: April 10, 2025 00:00

Analysis of malicious open source packages from Datadog's malicious packages dataset. Each of these packages were found in the wild and confirmed to be malicious. The goal of this analysis is to understand the nature of malicious OSS packages and how they…

🚀 Introducing GitLab CI/CD Component

https://safedep.io/introducing-gitlab-ci-component

Published: March 31, 2025 00:00

Introducing GitLab CI/CD Component, available in GiLab CI Catalog for seamless integration of vet in GitLab CI. Protect against vulnerable and malicious packages in your GitLab projects.

Introducing vetpkg.dev - Open Source Component Security Dashboard

https://safedep.io/introducing-vetpkg-dev

Published: February 18, 2025 00:00

Introducing vetpkg.dev - Built using SafeDep API to provide an easy to use visibility of open source component security information.

What is Next Generation Software Composition Analysis?

https://safedep.io/what-is-next-gen-sca

Published: February 6, 2025 00:00

Software Composition Analysis has been there for a while. But the problems associated with open source vulnerabilities persist. Next-gen SCA is the promised solution. What is it and how does it work?

Malicious npm Packages using Burp Collaborator for Dependency Confusion Attack

https://safedep.io/burp-collaborator-for-dependency-confusion-attack

Published: January 16, 2025 00:00

Multiple npm packages impersonating popular package names were published to the npm registry including by a Snyk researcher apparently targeting internal packages at Cursor AI.

How a Security Team use Policy as Code for Open Source Security

https://safedep.io/vet-policy-as-code-accel-cyber-security-summit-2024

Published: October 22, 2024 00:00

This is a talk given at Accel Cyber Security Summit 2024 about securing the open source software supply chain using SafeDep vet. This talk highlights a case study of using policy as code for setting up guardrails

SQL Query Interface over SBOM using SafeDep Cloud

https://safedep.io/safedep-cloud-preview-sql-query-api

Published: October 18, 2024 00:00

This is a '#buildinpublic' update for SafeDep Cloud Development. UI often becomes a bottleneck for developer tools causing friction. We want to overcome it by providing an SQL query interface of SBOM and security metadata.

Why Open Source Risks are Larger than SCA Tools

https://safedep.io/why-oss-risks-larger-than-sca

Published: October 3, 2024 00:00

Open Source Software is critical. However it often comes with inherited risks that are larger than what can be tackled by conventional Software Composition Analysis (SCA) tools.

Sneak Peak into SafeDep Cloud Development and SQL Queries

https://safedep.io/sneak-peak-into-control-tower-sql-query

Published: September 30, 2024 00:00

Software Bill of Material (SBOM) provides an inventory of all software components. However, they are useful only when a flexible query interface is built on top.

Safe and Secure Consumption of Open Source Libraries

https://safedep.io/safe-and-secure-oss-consumption

Published: September 15, 2024 00:00

Open Source software is the foundation of modern software projects. Any software written today consists of 70-90% of open source code in form of libraries and other components.