package-registries
Safeguard articles tagged "package-registries" — guides, analysis, and best practices for software supply chain and application security.
6 articles
Typosquatting and dependency confusion: a defense guide
In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.
Anatomy of an npm maintainer account takeover
A single phishing email hit eslint-config-prettier's ~30M weekly downloads in July 2025 — no code compromise needed, just a stolen npm login.
Anatomy of an npm Dependency Confusion Attack
One researcher published fake packages matching internal names at over 35 companies in 2021 and collected six-figure bounties — here's exactly how the registry resolution flaw works.
Starjacking Attacks on Package Registries: Exploiting Repository Trust
Starjacking exploits the trust developers place in GitHub stars and repository metadata. Attackers link malicious packages to popular repositories to appear legitimate. Here is how it works.
Domain Squatting and Package Registry Attacks
Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.
Brand Protection on Package Registries: Defending Your Namespace
Attackers impersonate legitimate organizations on package registries through name squatting, logo theft, and metadata manipulation. Here is how to protect your brand and your users.