Safeguard
Open Source Security

Swift Package Manager vulnerability trends

Typosquats, thin CVE coverage, and an executable manifest format: inside the Swift Package Manager vulnerability trends security teams can't ignore.

Priya Mehta
DevSecOps Engineer
7 min read

SAN FRANCISCO — Six years after Apple folded Swift Package Manager (SwiftPM) into Xcode as the default way to pull third-party code into iOS, macOS, and server-side Swift projects, the ecosystem is showing the same growing pains that hit npm, PyPI, and RubyGems a decade earlier — just compressed into a much shorter timeline. Security researchers tracking the registry through the first half of 2026 point to a familiar pattern: rising package counts, a thin layer of manual review, and a manifest format that executes arbitrary code before a developer ever sees a dependency tree. A typosquat package published under the name swift-docc-rendeeeeeer — a near-perfect visual clone of Apple's own swift-docc-render tool — was pulled from the index after researchers flagged embedded malicious code, becoming one of the clearest public examples yet of npm-and-PyPI-style typosquatting reaching the Apple developer ecosystem. Around the same window, a parsing flaw in swift-nio-http2 (affecting versions 1.0.0 through 1.19.1) showed that even Apple-adjacent, widely embedded server-side Swift libraries carry the same class of memory-safety and protocol-handling bugs that have plagued HTTP/2 implementations across languages. Separately, Google's Firebase Apple SDK team shipped an internal workaround tied to CVE-2025-0838, underscoring that vulnerability remediation in this ecosystem often happens quietly, inside downstream SDKs, rather than through a centralized advisory process.

Taken together, these signals describe an ecosystem at an inflection point: SwiftPM usage is exploding as more teams build cross-platform and server-side Swift services, but the tooling, registries, and review processes securing it have not caught up to the maturity of the npm or Maven security stacks. For security teams shipping iOS, macOS, watchOS, tvOS, or Vapor-based backend applications, understanding why SwiftPM carries structurally different risk — not just that it does — is now a prerequisite for building an effective supply chain defense program.

A Younger, Thinner Security Layer

Unlike npm or PyPI, which have spent years building out centralized advisory databases, automated malware scanning, and package-quarantine mechanisms, the Swift package ecosystem is comparatively young and fragmented. There is no single, authoritative "SwiftPM registry" in the way there is a single npm registry — packages are resolved directly from git repository URLs, GitHub, GitLab, or self-hosted registries such as those increasingly stood up in Artifactory or AWS CodeArtifact. That decentralization has real security consequences: there is no single point where a malicious package can be delisted for everyone at once, no unified CVE feed that reliably maps to Swift package coordinates, and no consistent maintainer-verification model across the sources teams actually pull from.

CVE tracking for Swift and Swift-adjacent packages is likewise less complete than what security teams are used to for JavaScript or Python dependencies. Advisories exist — the Swift.org security page and the Swift Forums security-updates category both publish disclosures — but coverage is inconsistent, and many vulnerabilities in community-maintained packages surface first in GitHub issue threads or downstream SDK release notes rather than in a CVE record. That gap matters directly for detection tooling: a scanner that only ingests the National Vulnerability Database will miss a meaningful share of real-world SwiftPM risk.

The Manifest Problem: Package.swift Executes Code

The single most consequential design characteristic driving SwiftPM's risk profile is one that is easy to overlook: the Package.swift manifest is not a declarative metadata file — it is executable Swift code, evaluated at resolution time. Anonymous closures, arbitrary Foundation calls, and shell-outs can all run the moment a package is resolved, before a single line of the dependency's actual library code is compiled or reviewed. This is structurally similar to the risk profile of npm's postinstall scripts or Python's setup.py, both of which have been repeatedly weaponized in real-world supply chain attacks — but many iOS and macOS engineering teams, coming from a mobile-first background, are far less accustomed to treating a dependency manifest itself as untrusted, executable input.

Compounding this, Package.resolved — SwiftPM's lockfile equivalent — pins dependencies to a commit hash rather than to a cryptographically verified, immutable package artifact published to a trusted registry. Because SwiftPM's dependency model has no centralized ownership registry, whoever controls the git remote at resolution time controls what code ships. That creates a well-documented class of attack: repository or domain takeover. If a dependency's GitHub organization is deleted and its name becomes available for re-registration, or if a dependency is hosted on a domain that lapses and gets re-purchased, an attacker can silently take over the update stream for every downstream app still pointed at that source — with no registry-level circuit breaker to stop it.

Typosquatting and Malicious-Package Precedent

The swift-docc-rendeeeeeer incident is instructive precisely because it borrows a playbook the JavaScript and Python ecosystems have seen thousands of times: register a package name that is a near-identical, easily-mistyped variant of a legitimate, well-known tool, embed malicious logic, and wait for a mistyped Package.swift entry or a copy-pasted dependency URL to do the rest. The package's content was ultimately removed, but its existence confirms that the Apple developer ecosystem is no longer insulated from a tactic that has cost the JavaScript ecosystem real, measured damage.

That damage has precedent worth sizing. CocoaPods — the older, Ruby-based dependency manager still widely used alongside SwiftPM in iOS projects — disclosed trunk-server vulnerabilities in 2023 that researchers estimated had exposed more than three million apps to potential supply chain compromise between 2014 and 2023, stemming from session-token and email-verification weaknesses in how package ownership was claimed and transferred. Most production iOS apps today mix CocoaPods and SwiftPM dependencies in the same build, meaning the attack surface security teams need to reason about spans both systems simultaneously — a detail that is easy to lose when tooling and reporting treat them as separate ecosystems.

Server-Side Swift Raises the Stakes

The swift-nio-http2 parsing flaw matters beyond the mobile context because SwiftNIO underpins a growing number of server-side Swift frameworks, including Vapor, which teams are increasingly choosing for backend services that need to share code with iOS clients. A logical error in HTTP/2 HEADERS-frame priority parsing is the kind of bug that, in a networking library sitting at the edge of a production service, translates directly into denial-of-service or request-smuggling risk — the same category of impact security teams already track closely in Envoy, nginx, and other HTTP/2 implementations. As server-side Swift adoption grows, vulnerabilities in its core networking and TLS libraries deserve the same monitoring rigor teams already apply to their Go and Node.js services, not a lighter touch because "it's just an Apple thing."

What This Means for Security Teams

Three trends stand out across this reporting period. First, malicious and typosquatted packages are reaching the Swift ecosystem on the same timeline that mobile and server-side Swift adoption accelerates — the two curves are moving together. Second, CVE and advisory coverage for Swift dependencies remains meaningfully behind npm and PyPI, which means teams relying solely on NVD-fed scanners are working with an incomplete picture. Third, the manifest-execution and commit-hash-pinning design of SwiftPM means classic mitigations built for registry-based ecosystems — lockfile hash verification, registry-level malware scanning, automatic delisting — don't map cleanly onto how Swift dependencies are actually resolved, leaving a gap that most existing AppSec tooling wasn't built to close.

How Safeguard Helps

Safeguard closes exactly this gap for teams shipping Swift and Apple-platform code. Our reachability analysis traces whether a vulnerable function in a SwiftPM dependency — including transitive dependencies pulled in via git URLs and pinned commit hashes — is actually reachable from your application's call paths, so teams stop burning triage time on CVEs like the swift-nio-http2 parsing flaw that never execute in their build. Griffin, Safeguard's AI-driven security agent, cross-references community disclosures, GitHub issue threads, and downstream SDK release notes alongside sparse CVE records to surface Swift ecosystem risk — including typosquat patterns like swift-docc-rendeeeeeer — well before it lands in a formal advisory. Safeguard generates and ingests SBOMs across mixed CocoaPods and SwiftPM dependency trees, giving security teams a single, accurate inventory instead of two disconnected pictures of the same build. And when a fix is available, Safeguard opens auto-fix pull requests that update Package.resolved pins and manifest declarations directly, so remediation ships as fast as the underlying vulnerability was found.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.