Blog

Follow for the latest updates and insights on
open source security & engineering.

Latest From SafeDep

Security

Unpacking CVE-2025-55182: React Server Components RCE Exploit Deep Dive and SBOM-Driven Identification

A critical pre-authenticated remote code execution vulnerability (CVE-2025-55182) was disclosed in React Server Components, affecting Next.js applications using the App Router. Learn about the...

Malware Announcements Engineering Security Open Source AI SCA Compliance & SBOM Technology CI/CD

Malware

Shai-Hulud 2.0 npm Supply Chain Attack Technical Analysis

Critical npm supply chain attack compromises zapier-sdk, @asyncapi, posthog, and @postman packages with self-replicating malware. Technical analysis reveals credential harvesting, GitHub Actions...

Open Source

Curious Case of Embedded Executable in a Newly Introduced Transitive Dependency

A routine dependency upgrade introduced a suspicious transitive dependency with an embedded executable. While manual analysis confirmed it wasn't malicious, this incident highlights the implicit...

Engineering

An Opinionated Approach for Frontend Testing for Startups

How we test our Frontend applications powered by React Query and server components with Vitest.

Malware

Malicious npm Packages Impersonating Hyatt Internal Dependencies

Three malicious npm packages disguised as Hyatt internal dependencies were discovered using install hooks to execute malicious payloads. All packages share identical attack patterns and...

Ship Code

Not Malware

Install the SafeDep GitHub App to keep malicious packages out of your repos.

Install GitHub App