Safeguard
Tag

dependency-confusion

Safeguard articles tagged "dependency-confusion" — guides, analysis, and best practices for software supply chain and application security.

51 articles

AI Security

LLM Supply Chain Vulnerabilities

Malicious model files, poisoned datasets, and compromised ML packages are the new software supply chain frontier. Here is how these LLM attacks actually work.

Nov 14, 20257 min read
Buyer's Guides

Best malicious package detection tools for open source de...

A field guide to malicious package detection tools for npm and PyPI, comparing real vendors on detection method, coverage, and dependency confusion handling.

Nov 13, 20258 min read
Buyer's Guides

Best typosquatting and dependency confusion detection tools

A practical buyer's guide to typosquatting detection tools and dependency confusion scanners, comparing real vendors and how Safeguard fits in.

Nov 13, 20258 min read
Open Source Security

Packagist typosquatting report

A report on Packagist typosquatting campaigns targeting Composer/PHP packages, how attackers exploit install hooks, and how to detect them.

Nov 13, 20257 min read
Incident Analysis

Dependency confusion attacks against major tech companies

A look at the dependency confusion attacks that hit Apple, Microsoft, PayPal, and PyTorch — and why the technique still works against top engineering orgs.

Nov 5, 20257 min read
Software Supply Chain Security

Name Confusion Attacks: Typosquatting and Brandjacking

Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.

Nov 4, 20257 min read
Open Source Security

How Snyk identifies dependency confusion attacks in priva...

A technical look at how Snyk detects dependency confusion attacks — from vulnerability database malicious-package flags to registry scoping and Advisor scoring.

Aug 25, 20257 min read
Open Source Security

Anatomy of a Typosquatting Campaign: How Attackers Pick T...

Real typosquatting campaigns follow a repeatable playbook: target selection, edit-distance tricks, and install-time payloads. Here's how attackers actually pick their targets.

Aug 2, 20257 min read
Open Source Security

Dependency Confusion Attacks Five Years Later: Are Enterp...

Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.

Aug 2, 20256 min read
Open Source Security

The Economics of Publishing Fake Packages at Scale

Publishing a malicious package costs an attacker almost nothing while payouts run into the millions. Here's the cost-benefit math behind fake packages — and how to break it.

Jul 31, 20256 min read
Open Source Security

Reconstructing a Real-World Dependency Confusion Incident...

A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.

Jul 31, 20257 min read
Supply Chain Security

npm Supply Chain Attacks Q1 2025: Dependency Confusion, Typosquatting, and Maintainer Takeovers

The first quarter of 2025 saw a sharp increase in npm supply chain attacks. We catalog the major incidents and analyze the evolving techniques.

Apr 1, 20256 min read
dependency-confusion (Page 4) — Safeguard Blog