Safeguard
Tag

package-registry-security

Safeguard articles tagged "package-registry-security" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Software Supply Chain Security

npm typosquatting attacks

npm typosquatting turns a single mistyped `npm install` into a live compromise. Real incidents, attack patterns, and defenses that actually catch it.

Jul 6, 20267 min read
Software Supply Chain Security

PyPI typosquatting malicious packages

PyPI typosquatting tricks developers into installing malicious lookalike packages via one-letter typos. Real incidents, attack patterns, and defenses inside.

Jul 2, 20265 min read
Software Supply Chain Security

Trusted Publishing for npm: Why Only 14% of Compromised P...

Only 14% of packages compromised since npm launched Trusted Publishing use it. Here's how OIDC-based publishing works, why adoption lags, and what still gets missed.

May 17, 20268 min read
Threat Intelligence

Typosquatting across package registries (npm, Go, PyPI)

Typosquatting has infected npm, PyPI, and now Go modules. We break down real attacks like crossenv and colourama, how Socket.dev detects them, and where the gaps remain.

May 9, 20267 min read
Cloud Security

Dependency Confusion Attack

How dependency confusion attacks exploit registry name collisions to run attacker code inside corporate networks, from Alex Birsan's 2021 research to the 2022 PyTorch breach.

Apr 13, 20266 min read
Software Supply Chain Security

Malicious dependency attacks in the software supply chain

Dependency confusion attacks let attackers hijack builds by publishing malicious packages with higher version numbers to public registries. Here's how they work and how to stop them.

Apr 4, 20267 min read
Software Supply Chain Security

What is Artifact Repository Security

Artifact repositories are prime attack targets — one poisoned package reaches every downstream consumer. Here's what actually secures them.

Feb 3, 20267 min read
Vulnerability Analysis

Typosquatting in open source package registries explained

Typosquatting hides malware behind a one-character package name typo. Learn how it works, real incidents, and how to detect it before your build runs.

Dec 7, 20257 min read
Open Source Security

RubyGems.org domain takeover risk report

RubyGems.org hasn't adopted the domain-resurrection defenses PyPI rolled out in 2025 — leaving a proven account-takeover technique open across the Ruby ecosystem.

Nov 21, 20257 min read
Open Source Security

NuGet typosquatting campaign report

Four disclosed NuGet typosquatting campaigns since 2024 reveal a shift toward patient, audience-specific attacks — from ICS time bombs to wallet-draining homoglyphs.

Nov 15, 20257 min read
Open Source Security

CocoaPods trunk supply chain vulnerability report

Three CocoaPods trunk server flaws sat unpatched for a decade, exposing 1,866 orphaned pods to takeover. Here's what happened and how to defend your dependencies.

Nov 10, 20257 min read
Buyer's Guides

Best artifact repository security tools

A practical, no-hype buyer's guide to artifact repository security tools — what to evaluate, six real vendors compared fairly, and where Safeguard fits.

Nov 8, 20258 min read
package-registry-security — Safeguard Blog