package-registry-security
Safeguard articles tagged "package-registry-security" — guides, analysis, and best practices for software supply chain and application security.
14 articles
npm typosquatting attacks
npm typosquatting turns a single mistyped `npm install` into a live compromise. Real incidents, attack patterns, and defenses that actually catch it.
PyPI typosquatting malicious packages
PyPI typosquatting tricks developers into installing malicious lookalike packages via one-letter typos. Real incidents, attack patterns, and defenses inside.
Trusted Publishing for npm: Why Only 14% of Compromised P...
Only 14% of packages compromised since npm launched Trusted Publishing use it. Here's how OIDC-based publishing works, why adoption lags, and what still gets missed.
Typosquatting across package registries (npm, Go, PyPI)
Typosquatting has infected npm, PyPI, and now Go modules. We break down real attacks like crossenv and colourama, how Socket.dev detects them, and where the gaps remain.
Dependency Confusion Attack
How dependency confusion attacks exploit registry name collisions to run attacker code inside corporate networks, from Alex Birsan's 2021 research to the 2022 PyTorch breach.
Malicious dependency attacks in the software supply chain
Dependency confusion attacks let attackers hijack builds by publishing malicious packages with higher version numbers to public registries. Here's how they work and how to stop them.
What is Artifact Repository Security
Artifact repositories are prime attack targets — one poisoned package reaches every downstream consumer. Here's what actually secures them.
Typosquatting in open source package registries explained
Typosquatting hides malware behind a one-character package name typo. Learn how it works, real incidents, and how to detect it before your build runs.
RubyGems.org domain takeover risk report
RubyGems.org hasn't adopted the domain-resurrection defenses PyPI rolled out in 2025 — leaving a proven account-takeover technique open across the Ruby ecosystem.
NuGet typosquatting campaign report
Four disclosed NuGet typosquatting campaigns since 2024 reveal a shift toward patient, audience-specific attacks — from ICS time bombs to wallet-draining homoglyphs.
CocoaPods trunk supply chain vulnerability report
Three CocoaPods trunk server flaws sat unpatched for a decade, exposing 1,866 orphaned pods to takeover. Here's what happened and how to defend your dependencies.
Best artifact repository security tools
A practical, no-hype buyer's guide to artifact repository security tools — what to evaluate, six real vendors compared fairly, and where Safeguard fits.