Safeguard
Tag

package-registry

Safeguard articles tagged "package-registry" — guides, analysis, and best practices for software supply chain and application security.

10 articles

Supply Chain Attacks

Dependency confusion on npm: how public-registry precedence became a delivery channel for post-exploitation frameworks

In May 2022, Snyk found 200+ malicious npm packages, including one that polled for commands until it dropped a Cobalt Strike trojan, and another that delayed 30 minutes to dodge sandboxes.

Jul 11, 20265 min read
Supply Chain Attacks

The anatomy of a PyPI credential stealer

In a single 24-hour window in 2022, one actor shipped 12 malicious PyPI packages bundling Windows stealers that harvested browser, Discord, and Roblox credentials.

Jul 11, 20267 min read
Emerging Technology

npm Garbage Collection Abuse: Attack Research

npm's unpublish and tarball retention rules create a narrow but real window for attackers to reclaim deleted names and swap tarball contents. Here is the 2025 research.

Mar 23, 20268 min read
Supply Chain

Blocking Malicious Packages at the Proxy Level With Artifactory

Once a compromised dependency reaches a laptop or CI runner, you are doing incident response. Blocked at the Artifactory proxy, it is a log line. Here is the configuration that makes that happen.

Feb 18, 20266 min read
Open Source Security

Hex.pm package registry security and Elixir supply chain ...

Hex.pm blocks install-time scripts npm allows, but Elixir dependency risk still hides in native builds, Erlang CVEs, and thin registry-side vetting. Here's what to watch.

Feb 1, 20267 min read
Concepts

What Is a Package Registry?

A package registry is the network service your package manager pulls code from. Here is how registries work, why they are a critical trust boundary, and how to secure what you download.

Jul 14, 20256 min read
DevSecOps

Choosing a Private Package Registry in 2025

A 2025 buyer's guide comparing JFrog Artifactory, Sonatype Nexus, GitHub Packages, Google Artifact Registry, and Cloudsmith on ecosystems, policy, and TCO.

May 8, 20255 min read
Supply Chain Security

Package Registry Mirroring: Security Benefits and Hidden Risks

Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.

Oct 8, 20235 min read
Infrastructure Security

Rate Limiting in Package Registries: Balancing Security and Developer Experience

Docker Hub's rate limits broke builds worldwide. Rate limiting is necessary for registry security, but getting it wrong disrupts entire engineering organizations.

Jul 12, 20235 min read
How-To Guide

Securing Your Private Package Registry

Private package registries are high-value targets for supply chain attackers. Here is how to lock them down, from access controls to dependency confusion prevention.

May 30, 20236 min read
package-registry — Safeguard Blog