package-registry
Safeguard articles tagged "package-registry" — guides, analysis, and best practices for software supply chain and application security.
10 articles
Dependency confusion on npm: how public-registry precedence became a delivery channel for post-exploitation frameworks
In May 2022, Snyk found 200+ malicious npm packages, including one that polled for commands until it dropped a Cobalt Strike trojan, and another that delayed 30 minutes to dodge sandboxes.
The anatomy of a PyPI credential stealer
In a single 24-hour window in 2022, one actor shipped 12 malicious PyPI packages bundling Windows stealers that harvested browser, Discord, and Roblox credentials.
npm Garbage Collection Abuse: Attack Research
npm's unpublish and tarball retention rules create a narrow but real window for attackers to reclaim deleted names and swap tarball contents. Here is the 2025 research.
Blocking Malicious Packages at the Proxy Level With Artifactory
Once a compromised dependency reaches a laptop or CI runner, you are doing incident response. Blocked at the Artifactory proxy, it is a log line. Here is the configuration that makes that happen.
Hex.pm package registry security and Elixir supply chain ...
Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.
What Is a Package Registry?
A package registry is the network service your package manager pulls code from. Here is how registries work, why they are a critical trust boundary, and how to secure what you download.
Choosing a Private Package Registry in 2025
A 2025 buyer's guide comparing JFrog Artifactory, Sonatype Nexus, GitHub Packages, Google Artifact Registry, and Cloudsmith on ecosystems, policy, and TCO.
Package Registry Mirroring: Security Benefits and Hidden Risks
Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.
Rate Limiting in Package Registries: Balancing Security and Developer Experience
Docker Hub's rate limits broke builds worldwide. Rate limiting is necessary for registry security, but getting it wrong disrupts entire engineering organizations.
Securing Your Private Package Registry
Private package registries are high-value targets for supply chain attackers. Here is how to lock them down, from access controls to dependency confusion prevention.