package-security
Safeguard articles tagged "package-security" — guides, analysis, and best practices for software supply chain and application security.
21 articles
Detecting AI Hallucinations in Generated Code
A USENIX Security 2025 study found 19.7% of packages recommended by 16 LLMs across 576,000 code samples don't exist — and attackers are registering them first.
NuGet Supply Chain Security: Protecting Your .NET Dependencies
How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.
How to Prevent Dependency Confusion in npm (2026)
Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.
How slopsquatting exploits AI-hallucinated package names
Slopsquatting attacks turn AI-hallucinated package names into real supply chain threats. Here's how it works, the numbers behind it, and how Safeguard stops it.
NuGet dependency confusion risk report
NuGet's default feed-resolution behavior keeps dependency confusion risk elevated across .NET orgs. Here's what the incident history shows, and how to close the gap.
Best typosquatting and dependency confusion detection tools
A practical buyer's guide to typosquatting detection tools and dependency confusion scanners, comparing real vendors and how Safeguard fits in.
Slopsquatting in the AI Era: Registering Packages AI Mode...
AI coding assistants hallucinate package names at rates as high as 19.7% — and attackers are registering those exact names. Here's how slopsquatting works and how to stop it.
PyPI Malicious Packages 2025: Python's Growing Supply Chain Problem
PyPI faced a surge of malicious package uploads in early 2025, targeting data science, AI/ML, and cloud development workflows. Here's the full picture.
Typosquatting Meets AI: The New Threat of AI-Generated Package Names
AI code assistants recommend packages that do not exist, and attackers are registering those hallucinated names. This new typosquatting vector exploits the trust developers place in AI suggestions.
Homebrew Cask Security Verification: What Gets Checked Before Installation
Homebrew Cask installs macOS applications from the command line. Here is what security verification happens (and what does not) before software lands on your Mac.
Dependency Firewalls: Concept, Architecture, and Implementation
A dependency firewall sits between your build system and public registries, filtering packages based on security policies. Here is how to design and implement one.
npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain
npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.