Safeguard
Tag

package-security

Safeguard articles tagged "package-security" — guides, analysis, and best practices for software supply chain and application security.

21 articles

AI Security

Detecting AI Hallucinations in Generated Code

A USENIX Security 2025 study found 19.7% of packages recommended by 16 LLMs across 576,000 code samples don't exist — and attackers are registering them first.

Jul 8, 20266 min read
Security Guides

NuGet Supply Chain Security: Protecting Your .NET Dependencies

How NuGet supply chain attacks work, from dependency confusion to typosquatting, and the concrete controls, lock files, source mapping, and signing, that lock down your .NET build.

Jul 4, 20265 min read
Best Practices

How to Prevent Dependency Confusion in npm (2026)

Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.

Mar 13, 20267 min read
AI Security

How slopsquatting exploits AI-hallucinated package names

Slopsquatting attacks turn AI-hallucinated package names into real supply chain threats. Here's how it works, the numbers behind it, and how Safeguard stops it.

Dec 14, 20257 min read
Open Source Security

NuGet dependency confusion risk report

NuGet's default feed-resolution behavior keeps dependency confusion risk elevated across .NET orgs. Here's what the incident history shows, and how to close the gap.

Nov 14, 20257 min read
Buyer's Guides

Best typosquatting and dependency confusion detection tools

A practical buyer's guide to typosquatting detection tools and dependency confusion scanners, comparing real vendors and how Safeguard fits in.

Nov 13, 20258 min read
Open Source Security

Slopsquatting in the AI Era: Registering Packages AI Mode...

AI coding assistants hallucinate package names at rates as high as 19.7% — and attackers are registering those exact names. Here's how slopsquatting works and how to stop it.

Jul 30, 20257 min read
Supply Chain Security

PyPI Malicious Packages 2025: Python's Growing Supply Chain Problem

PyPI faced a surge of malicious package uploads in early 2025, targeting data science, AI/ML, and cloud development workflows. Here's the full picture.

Mar 28, 20256 min read
Software Supply Chain Security

Typosquatting Meets AI: The New Threat of AI-Generated Package Names

AI code assistants recommend packages that do not exist, and attackers are registering those hallucinated names. This new typosquatting vector exploits the trust developers place in AI suggestions.

Oct 20, 20247 min read
Software Supply Chain Security

Homebrew Cask Security Verification: What Gets Checked Before Installation

Homebrew Cask installs macOS applications from the command line. Here is what security verification happens (and what does not) before software lands on your Mac.

May 8, 20245 min read
Software Supply Chain Security

Dependency Firewalls: Concept, Architecture, and Implementation

A dependency firewall sits between your build system and public registries, filtering packages based on security policies. Here is how to design and implement one.

Mar 25, 20247 min read
Supply Chain Security

npm Lifecycle Scripts: The Hidden Attack Surface in Your Node.js Supply Chain

npm lifecycle scripts execute arbitrary code during package installation. This design choice creates one of the largest and least-understood attack surfaces in modern software development.

Mar 20, 20247 min read
package-security — Safeguard Blog