dependency-confusion
Safeguard articles tagged "dependency-confusion" — guides, analysis, and best practices for software supply chain and application security.
51 articles
Dependency Confusion: Attack Evolution from 2022 to 2026
Alex Birsan's 2021 disclosure named a class of attacks. Four years on, dependency confusion has evolved across registries, tooling, and victim profiles.
Blocking Malicious Packages at the Proxy Level With Artifactory
Once a compromised dependency reaches a laptop or CI runner, you are doing incident response. Blocked at the Artifactory proxy, it is a log line. Here is the configuration that makes that happen.
What is PyPI Security
PyPI security stops typosquats, dependency confusion, and poisoned CI builds before pip install ever runs your code.
What is a Private Package Registry
A private package registry controls who can publish and pull internal and third-party code — but only if it's configured to block, not just cache, public fallback resolution.
What is Artifact Repository Security
Artifact repositories are prime attack targets — one poisoned package reaches every downstream consumer. Here's what actually secures them.
NuGet supply chain attacks: typosquatting and dependency ...
NuGet typosquatting and dependency confusion let attackers plant malicious packages in .NET builds. Here's how real campaigns worked and how to stop them.
PyPI malware campaigns targeting machine learning and dat...
PyPI malware ML packages have hit PyTorch and Ultralytics YOLO via dependency confusion and CI/CD compromise. What happened, and how to defend your ML supply chain.
pip's Version-Based Resolution and the Origin of Dependen...
CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.
The torchtriton Dependency Confusion Attack on PyTorch-Ni...
How a namespace gap on PyPI let a malicious "torchtriton" package hijack PyTorch-nightly installs for five days, and what it teaches about ML supply chain security.
npm typosquatting campaigns roundup
A roundup of npm typosquatting campaign patterns, from dependency confusion to AI-tooling lookalikes, and how teams can detect exposure fast.
Securing the .NET NuGet Supply Chain
Package source mapping, packages.lock.json, NuGetAudit and signature verification — .NET ships more built-in supply chain controls than any other ecosystem. Most teams enable none of them.
Go module checksum database bypass risks
Go's GOSUMDB checksum verification is meant to be on by default, but Safeguard's research found roughly 1 in 6 CI pipelines quietly disable it.