Security

Hey SBOM community 👋 If you’ve been using sbomqs for a while, you know it does a solid job of telling you what’s in your SBOM, not just that fields exist, but what values they actually hold. Names, versions, licenses, suppliers, checksums, PURLs, CPEs — every field and its corresponding value, laid out right there in your SBOM. And when something’s missing? The score command returns a 0 score on it so you can’t miss it, while the list command shows you exactly which components are empty and which ones have real values. It’s a transparent, no-nonsense way to audit your SBOM’s contents. ...

This blog post describes how OwnersBox quickly mitigated the threat of the “Shai-Hulud” npm supply chain attack in September 2025. The attack involved malicious packages that stole credentials and aggressively self-propagated.