Safeguard
Tag

pypi

Safeguard articles tagged "pypi" — guides, analysis, and best practices for software supply chain and application security.

69 articles

Supply Chain Security

CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm

The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.

Jun 23, 20267 min read
Supply Chain Security

PyTorch Lightning PyPI Compromise: A Software Supply Chain Attack Built to Drain ML Credentials

In April 2026, attackers pushed malicious versions of the lightning PyPI package and an npm intercom-client release, harvesting cloud, CI/CD, and GitHub credentials. Here is what happened and why ML tooling is now a prime supply chain target.

Jun 20, 20266 min read
Supply Chain Security

Why postinstall Scripts Became the Frontline of the Software Supply Chain Attack

Install-time script execution turned npm install and pip install into code-execution events. Here is how 2026's wave of attacks works, and the lockfile, allowlist, and sandbox discipline that actually stops it.

Jun 7, 20267 min read
Supply Chain Attacks

TrapDoor: The Cross-Ecosystem Crypto Stealer That Targeted DeFi Developers (May 2026)

Socket disclosed TrapDoor on May 24, 2026: 34+ malicious packages and 384+ versions across npm, PyPI, and Crates.io built to steal crypto wallets, SSH keys, and cloud credentials from crypto, DeFi, Solana, and AI developers.

May 26, 202612 min read
Supply Chain Attacks

Microsoft's durabletask PyPI Package Compromised (19 May 2026): A Linux Wiper and Multi-Cloud Credential Theft

On 19 May 2026, three malicious versions of Microsoft's durabletask PyPI package were uploaded in a 35-minute window. The payload steals AWS, Azure, GCP, and Kubernetes credentials in under four seconds and ships a locale-gated rm -rf wiper.

May 20, 202610 min read
Supply Chain Attacks

How to Detect Dependency Confusion Attacks Before They Ship

Dependency confusion still works in 2026 because teams keep missing the same three controls. Here's how to detect and block it in npm, pip, and Maven.

Mar 27, 20268 min read
Incident Analysis

PyPI Trusted Publishing Token Leaks in 2025

Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.

Mar 19, 20268 min read
Supply Chain Attacks

OSS Maintainer Account Takeover Trends 2025

A senior engineer's breakdown of how maintainer account takeovers evolved in 2025, from phishing kits targeting PyPI to session token theft on GitHub and npm.

Mar 7, 20267 min read
Open Source Security

PyPI 2FA Lessons Two Years In

PyPI mandated 2FA for all maintainers in 2024. Two years in, account takeovers dropped — but attackers shifted to OIDC tokens, abandoned packages, and maintainer devices.

Mar 6, 20267 min read
Threat Intelligence

Dependency Confusion: Attack Evolution from 2022 to 2026

Alex Birsan's 2021 disclosure named a class of attacks. Four years on, dependency confusion has evolved across registries, tooling, and victim profiles.

Mar 2, 20265 min read
Industry Analysis

Python Security Explained

How Python's install-time code execution and open PyPI namespace fuel real supply chain attacks — and what actually reduces the risk.

Feb 24, 20267 min read
Supply Chain

PyPI Security: Malware Campaigns and How to Defend

The Python Package Index has become a first-class malware channel — from the ctx hijack to the ultralytics pipeline compromise. Here are the campaigns worth studying and the defenses that work.

Feb 12, 20266 min read
pypi (Page 2) — Safeguard Blog