Safeguard
Tag

package-registries

Safeguard articles tagged "package-registries" — guides, analysis, and best practices for software supply chain and application security.

6 articles

Supply Chain Attacks

Typosquatting and dependency confusion: a defense guide

In 2021 one researcher got code execution inside 35+ companies for $130,000+ in bounties — without exploiting a single vulnerability. Here's how to close the gap.

Jul 14, 20266 min read
Supply Chain Attacks

Anatomy of an npm maintainer account takeover

A single phishing email hit eslint-config-prettier's ~30M weekly downloads in July 2025 — no code compromise needed, just a stolen npm login.

Jul 9, 20266 min read
Supply Chain Attacks

Anatomy of an npm Dependency Confusion Attack

One researcher published fake packages matching internal names at over 35 companies in 2021 and collected six-figure bounties — here's exactly how the registry resolution flaw works.

Jul 7, 20266 min read
Software Supply Chain Security

Starjacking Attacks on Package Registries: Exploiting Repository Trust

Starjacking exploits the trust developers place in GitHub stars and repository metadata. Attackers link malicious packages to popular repositories to appear legitimate. Here is how it works.

Jul 5, 20235 min read
Supply Chain Security

Domain Squatting and Package Registry Attacks

Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.

Jul 5, 20236 min read
Software Supply Chain Security

Brand Protection on Package Registries: Defending Your Namespace

Attackers impersonate legitimate organizations on package registries through name squatting, logo theft, and metadata manipulation. Here is how to protect your brand and your users.

Nov 5, 20224 min read
package-registries — Safeguard Blog