Blog

Follow for the latest updates and insights on
open source security & engineering.

Latest From SafeDep

Malware

Malicious npm Package react-refresh-update Drops Cross-Platform Trojan on Developer Machines

A malicious npm package impersonating react-refresh, Meta's library with 42 million weekly downloads, was detected by SafeDep. The package injects a two-layer obfuscated dropper into runtime.js that...

Malware Security Announcements AI Engineering Technology Open Source SCA Compliance & SBOM CI/CD

How to Write Time-Based Security Policies in SafeDep vet

Protect against unknown malicious open source packages by enforcing a supply chain cooling-off period using the now() CEL function in SafeDep vet.

Malware

Malicious npm Package pino-sdk-v2 Exfiltrates Secrets to Discord

A malicious npm package impersonating the popular pino logger was detected by SafeDep. The package hides obfuscated code inside a legitimate library file to steal environment secrets and send them to...

Threat Modeling the AI-Native SDLC: Supply Chain Security in the Age of Coding Agents

AI agents are rewriting the software development lifecycle. From vibe coding to autonomous CI/CD, every phase now involves an LLM making decisions about your code and dependencies. Here is a threat...

Gryph: Audit Trail for AI Coding Agents

AI coding agents operate with broad access to your codebase, credentials, and shell. Gryph logs every action they take to a local SQLite database, making agent behavior visible, queryable, and...

Ship Code

Not Malware

Install the SafeDep GitHub App to keep malicious packages out of your repos.

Install GitHub App