malicious-packages
Safeguard articles tagged "malicious-packages" — guides, analysis, and best practices for software supply chain and application security.
44 articles
npm supply chain attacks via malicious postinstall scripts
How a single postinstall hook in a compromised npm package can run malware at install time, real incidents from 2018-2025, and how to defend against it.
State of npm supply chain attacks
Maintainer phishing, self-propagating worms, and mass-download packages compromised: a look at the npm supply chain attack trends reshaping open source risk.
npm typosquatting campaigns roundup
A roundup of npm typosquatting campaign patterns, from dependency confusion to AI-tooling lookalikes, and how teams can detect exposure fast.
PyPI typosquatting and malicious package report
A 2026 look at PyPI typosquatting trends: attack patterns, CI/CD targeting, info-stealer payloads, and how to defend the Python supply chain.
Typosquatting in the Go module ecosystem
Typosquatting is surging across the Go module ecosystem, exploiting decentralized import paths and an immutable checksum database that makes takedowns nearly meaningless.
NuGet typosquatting campaign report
Four disclosed NuGet typosquatting campaigns since 2024 reveal a shift toward patient, audience-specific attacks — from ICS time bombs to wallet-draining homoglyphs.
Malicious Composer packages on Packagist
Three malicious Composer package campaigns hit Packagist in under a year -- each sitting undetected for months. Here's what happened and how to catch the next one faster.
Malicious Rust crates found on crates.io
Malicious crates keep surfacing on crates.io, from the rustdecimal typosquat to build-script payload attacks. Here's how the pattern works and how to defend against it.
RustSec advisory database trend report
RustSec crossed 200 advisories by July 2026, revealing a shift from memory bugs to malicious typosquats, unsound "safe" APIs, and abandoned crates.
Typosquatting on crates.io report
Safeguard's research team scanned all of crates.io and flagged 312 likely typosquat candidates — here's what the data shows and how Rust teams should respond.
How Snyk detects malicious and typosquatted open-source p...
How Snyk's research team detects malicious and typosquatted open-source packages — from name-similarity heuristics to install-script analysis and source-code provenance checks.
How Dependency Graphs Reveal Hidden Supply Chain Risk
Dependency graph analysis reveals which transitive packages can actually reach your code. From Log4Shell to the xz backdoor, see why flat scans miss what graphs catch.