dependency-confusion
Safeguard articles tagged "dependency-confusion" — guides, analysis, and best practices for software supply chain and application security.
51 articles
LLM Supply Chain Vulnerabilities
Malicious model files, poisoned datasets, and compromised ML packages are the new software supply chain frontier. Here is how these LLM attacks actually work.
Best malicious package detection tools for open source de...
A field guide to malicious package detection tools for npm and PyPI, comparing real vendors on detection method, coverage, and dependency confusion handling.
Best typosquatting and dependency confusion detection tools
A practical buyer's guide to typosquatting detection tools and dependency confusion scanners, comparing real vendors and how Safeguard fits in.
Packagist typosquatting report
A report on Packagist typosquatting campaigns targeting Composer/PHP packages, how attackers exploit install hooks, and how to detect them.
Dependency confusion attacks against major tech companies
A look at the dependency confusion attacks that hit Apple, Microsoft, PayPal, and PyTorch — and why the technique still works against top engineering orgs.
Name Confusion Attacks: Typosquatting and Brandjacking
Typosquatting and brandjacking let attackers hijack trust in package names instead of writing exploits. Here's how crossenv, PyPI's 2017 campaign, and PyTorch's torchtriton breach actually worked.
How Snyk identifies dependency confusion attacks in priva...
A technical look at how Snyk detects dependency confusion attacks — from vulnerability database malicious-package flags to registry scoping and Advisor scoring.
Anatomy of a Typosquatting Campaign: How Attackers Pick T...
Real typosquatting campaigns follow a repeatable playbook: target selection, edit-distance tricks, and install-time payloads. Here's how attackers actually pick their targets.
Dependency Confusion Attacks Five Years Later: Are Enterp...
Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.
The Economics of Publishing Fake Packages at Scale
Publishing a malicious package costs an attacker almost nothing while payouts run into the millions. Here's the cost-benefit math behind fake packages — and how to break it.
Reconstructing a Real-World Dependency Confusion Incident...
A step-by-step reconstruction of a real dependency confusion attack, from malicious package upload to remediation, and how to defend your pipeline.
npm Supply Chain Attacks Q1 2025: Dependency Confusion, Typosquatting, and Maintainer Takeovers
The first quarter of 2025 saw a sharp increase in npm supply chain attacks. We catalog the major incidents and analyze the evolving techniques.