dependency-confusion
Safeguard articles tagged "dependency-confusion" — guides, analysis, and best practices for software supply chain and application security.
51 articles
NuGet Supply Chain Security: Protecting Your .NET Dependencies
How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.
Understanding dependency confusion via npm package aliasing
npm's `npm:` alias syntax lets a trusted-looking dependency name resolve to attacker-controlled code — here's how that becomes dependency confusion, and how to detect it.
What Is Open Source Malware
Open source malware is code deliberately planted in packages to attack the systems that install it. Learn how it spreads, real incidents, and how it differs from CVEs.
Malicious PyPI packages: common infiltration patterns
Real malicious PyPI package examples — typosquats, dependency confusion, hijacked maintainers, and crypto stealers — and how Safeguard catches them before install.
What is Dependency Confusion
Dependency confusion lets attackers hijack builds by publishing malicious packages under private package names to public registries. Here's how it works.
Malicious dependency attacks in the software supply chain
Dependency confusion attacks let attackers hijack builds by publishing malicious packages with higher version numbers to public registries. Here's how they work and how to stop them.
What is Typosquatting
Typosquatting tricks developers into installing malicious lookalike packages. Learn how it works, real npm/PyPI attacks, and how to detect it.
What Are Malicious Packages
Malicious npm packages steal credentials, mine crypto, or wipe files. Learn how attackers plant them and how to detect and stop them fast.
How to Detect Dependency Confusion Attacks Before They Ship
Dependency confusion still works in 2026 because teams keep missing the same three controls. Here's how to detect and block it in npm, pip, and Maven.
Reflection-Based Dependency Confusion Techniques
Dependency confusion is moving beyond name-typosquat. Reflection-based techniques let attackers hijack packages through dynamic imports and runtime resolution.
How to Prevent Dependency Confusion in npm (2026)
Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.
Dependency Confusion: Griffin AI vs Mythos
Dependency confusion is older than most of the AI tooling trying to detect it. The attacks have adapted to the defences — detection needs to keep up.