package-security
Safeguard articles tagged "package-security" — guides, analysis, and best practices for software supply chain and application security.
21 articles
Chocolatey Package Security on Windows: What You Need to Know
Chocolatey is the de facto package manager for Windows automation. Its trust model and security features deserve more scrutiny than most teams give them.
Dependency Hijacking Prevention: A Comprehensive Guide
Dependency hijacking encompasses multiple attack techniques that redirect dependency resolution to attacker-controlled packages. This guide covers all major hijacking vectors and their countermeasures.
pip Install Hooks Security: The Python Packaging Backdoor
Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.
Python Wheel Security Verification: What You Are Missing
Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.
Malware Analysis Techniques for Suspicious npm Packages
When an npm package looks suspicious, you need a systematic approach to determine if it is malicious. These analysis techniques separate noise from genuine threats.
Automating Typosquatting Detection for Package Registries
Typosquatting remains one of the most effective supply chain attacks. Automated detection using string distance algorithms, behavioral analysis, and registry monitoring can catch malicious packages before they reach your builds.
Rust Supply Chain Security: How crates.io Stacks Up Against npm and PyPI
Rust's crates.io registry has design advantages for supply chain security, but it's not immune. Here's an honest assessment of the Rust ecosystem.
pip Install Hooks Security Risks: Code Execution During Package Installation
Running pip install can execute arbitrary code on your machine before you ever import the package. Here is how install hooks create risk.
Python PyPI Malware Campaigns in 2021
Malicious packages on PyPI surged in 2021, targeting developers with credential stealers, backdoors, and data exfiltration. Here's what the campaigns look like and how to defend against them.