Safeguard
Tag

dependency-confusion

Safeguard articles tagged "dependency-confusion" — guides, analysis, and best practices for software supply chain and application security.

51 articles

Threat Intelligence

Dependency Confusion: Attack Evolution from 2022 to 2026

Alex Birsan's 2021 disclosure named a class of attacks. Four years on, dependency confusion has evolved across registries, tooling, and victim profiles.

Mar 2, 20265 min read
Supply Chain

Blocking Malicious Packages at the Proxy Level With Artifactory

Once a compromised dependency reaches a laptop or CI runner, you are doing incident response. Blocked at the Artifactory proxy, it is a log line. Here is the configuration that makes that happen.

Feb 18, 20266 min read
Open Source Security

What is PyPI Security

PyPI security stops typosquats, dependency confusion, and poisoned CI builds before pip install ever runs your code.

Feb 8, 20267 min read
Software Supply Chain Security

What is a Private Package Registry

A private package registry controls who can publish and pull internal and third-party code — but only if it's configured to block, not just cache, public fallback resolution.

Feb 4, 20266 min read
Software Supply Chain Security

What is Artifact Repository Security

Artifact repositories are prime attack targets — one poisoned package reaches every downstream consumer. Here's what actually secures them.

Feb 3, 20267 min read
Open Source Security

NuGet supply chain attacks: typosquatting and dependency ...

NuGet typosquatting and dependency confusion let attackers plant malicious packages in .NET builds. Here's how real campaigns worked and how to stop them.

Jan 31, 20268 min read
Open Source Security

PyPI malware campaigns targeting machine learning and dat...

PyPI malware ML packages have hit PyTorch and Ultralytics YOLO via dependency confusion and CI/CD compromise. What happened, and how to defend your ML supply chain.

Jan 25, 20269 min read
Open Source Security

pip's Version-Based Resolution and the Origin of Dependen...

CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.

Dec 3, 20257 min read
Open Source Security

The torchtriton Dependency Confusion Attack on PyTorch-Ni...

How a namespace gap on PyPI let a malicious "torchtriton" package hijack PyTorch-nightly installs for five days, and what it teaches about ML supply chain security.

Dec 3, 20257 min read
Open Source Security

npm typosquatting campaigns roundup

A roundup of npm typosquatting campaign patterns, from dependency confusion to AI-tooling lookalikes, and how teams can detect exposure fast.

Nov 30, 20257 min read
Engineering

Securing the .NET NuGet Supply Chain

Package source mapping, packages.lock.json, NuGetAudit and signature verification — .NET ships more built-in supply chain controls than any other ecosystem. Most teams enable none of them.

Nov 24, 20256 min read
Open Source Security

Go module checksum database bypass risks

Go's GOSUMDB checksum verification is meant to be on by default, but Safeguard's research found roughly 1 in 6 CI pipelines quietly disable it.

Nov 18, 20257 min read
dependency-confusion (Page 3) — Safeguard Blog