SafeDep

🚀 We're hiring a Frontend Engineer Intern at SafeDep. If you enjoy turning designs into clean, thoughtful interfaces, this one's for you. 👉 What we’re looking for - Familiarity with TypeScript - Familiarity with Next.js - Comfort working with Figma (Dev Mode) to build from designs This is a paid internship where you will work closely with our founding engineers on real-world products used by real teams. You'll get hands-on exposure to cybersecurity and open source supply chain security, all while working in a remote-first, async-friendly environment. Full details & how to apply 👉https://lnkd.in/dQVZnUAJ

We’re grateful to SafeDep for supporting the Seasides Conference as a Bronze Sponsor and for their commitment to strengthening the open source security ecosystem. SafeDep  focuses on Open Source Software Composition Analysis (SCA) and helps organizations secure their software supply chain through SBOM, SaaSBOM, and CBOM visibility, along with malicious package detection. Their work enables teams to build and ship software with greater confidence. Thank you, SafeDep and Abhisek Datta , for supporting the security community and helping make Seasides possible! #SeasidesConference #BronzeSponsor #ThankYou #OpenSourceSecurity #SCA #SBOM #SoftwareSupplyChain #AppSec

2026: build fast, trust what you ship. Happy New Year

As 2025 comes to a close, one thing became very clear in software security: Most incidents didn't happen because teams were careless. They happened because modern software is built on trust and that trust was quietly abused. This year we saw: 🖊️ Maintainer accounts compromised 🖊️ Malicious code hiding in transitive dependencies 🖊️ CI pipelines becoming attack vectors 🖊️ Developer tools and extensions turning into entry points The takeaway isn't "stop using open source." It's that open source has grown faster than our security assumptions. The interesting shift we noticed in 2025 is this: Teams are no longer asking "How many vulnerabilities do we have?" They're asking "Can we trust what we’re running?" Heading into 2026, security won't be about more alerts. It will be about earlier signals, better context, and fewer surprises. Curious to see how the ecosystem responds next. 🤔

See you there! And meet with SafeDep team 🤩

2025 checklist: ✅Survived npm supply chain chaos ✅Fixed CI that wasn’t your fault 🟩Help vet reach 1K stars Let’s complete the trilogy before the year ends 😊 https://lnkd.in/drPTmfJY

A Visual Studio Code extension downloading EXEs + DLLs, running hidden PowerShell, and beaconing to a malicious domain? Yep.... that happened. We dissected the DarkGPT VS Code malware and its full attack chain. If you use extensions, you’ll want to read this: https://lnkd.in/dat83PgN

The recent React Server Components RCE (CVE-2025-55182) is a reminder of something bigger: Modern frameworks move faster than most security playbooks. A single deserialization flaw quietly slipped into core React releases…. and because ecosystems like Next.js sit on top of it, thousands of teams inherited the risk without ever touching the vulnerable code. This isn’t about one CVE, it’s about visibility. If you can't answer "where exactly do we use this dependency?" in seconds, incidents like this become fire drills. We put together a breakdown focused on impact, lessons learned, and how SBOM-driven discovery makes response significantly less painful. Read the full analysis 👇 https://lnkd.in/dKViznQ5 #React #Nextjs #opensource

Troubled with React Server Components RCE? How about use SQL to identify all your vulnerable repositories? But that works only if you have an SBOM. SBOM is no longer the most happening thing in security today. But, IMHO, it is one of the foundational capabilities that every security engineering teams should have. Especially in times of critical impact vulnerabilities and supply chain incidents. There are multiple free and open source tools for generating SBOM such as Trivy, Syft, cdxgen and our very own vet. Generating SBOM with acceptable quality is no longer a challenge. However, the discipline of continuously generating SBOMs, for every application, versioning it, storing it and having the ability to query it at times of need is surely not trivial. In my experience, OWASP Dependency Track does an excellent job at providing some of these capabilities if you are looking for a free and self-hosted option. Inspite of my Javascript ignorance, I spent time digging into CVE-2025-55182, the React Server Component prototype pollution vulnerability that can lead to trivial RCE in many cases. Leveraged vet and SafeDep Cloud to search for affected repositories and involve our more capable engineers at SafeDep to get them fixed. Checkout our blog where we leverage vet (free and open source) sqlite3 reporting to create a GitHub org wide database, query it and find impacted repositories. We also demonstrate how to leverage SafeDep Cloud for continuous SBOM and SQLI-like queries. Link in comment.