Safeguard
Tag

package-security

Safeguard articles tagged "package-security" — guides, analysis, and best practices for software supply chain and application security.

21 articles

Supply Chain Security

Chocolatey Package Security on Windows: What You Need to Know

Chocolatey is the de facto package manager for Windows automation. Its trust model and security features deserve more scrutiny than most teams give them.

Mar 12, 20245 min read
Software Supply Chain Security

Dependency Hijacking Prevention: A Comprehensive Guide

Dependency hijacking encompasses multiple attack techniques that redirect dependency resolution to attacker-controlled packages. This guide covers all major hijacking vectors and their countermeasures.

Nov 5, 20235 min read
Software Supply Chain Security

pip Install Hooks Security: The Python Packaging Backdoor

Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.

Aug 18, 20234 min read
Software Supply Chain Security

Python Wheel Security Verification: What You Are Missing

Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.

Jul 22, 20235 min read
Software Supply Chain Security

Malware Analysis Techniques for Suspicious npm Packages

When an npm package looks suspicious, you need a systematic approach to determine if it is malicious. These analysis techniques separate noise from genuine threats.

May 15, 20236 min read
Software Supply Chain Security

Automating Typosquatting Detection for Package Registries

Typosquatting remains one of the most effective supply chain attacks. Automated detection using string distance algorithms, behavioral analysis, and registry monitoring can catch malicious packages before they reach your builds.

Mar 5, 20235 min read
Open Source Security

Rust Supply Chain Security: How crates.io Stacks Up Against npm and PyPI

Rust's crates.io registry has design advantages for supply chain security, but it's not immune. Here's an honest assessment of the Rust ecosystem.

Sep 8, 20226 min read
Software Supply Chain Security

pip Install Hooks Security Risks: Code Execution During Package Installation

Running pip install can execute arbitrary code on your machine before you ever import the package. Here is how install hooks create risk.

Aug 8, 20224 min read
Open Source Security

Python PyPI Malware Campaigns in 2021

Malicious packages on PyPI surged in 2021, targeting developers with credential stealers, backdoors, and data exfiltration. Here's what the campaigns look like and how to defend against them.

Oct 15, 20215 min read
package-security (Page 2) — Safeguard Blog