pypi
Safeguard articles tagged "pypi" — guides, analysis, and best practices for software supply chain and application security.
69 articles
CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm
The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.
PyTorch Lightning PyPI Compromise: A Software Supply Chain Attack Built to Drain ML Credentials
In April 2026, attackers pushed malicious versions of the lightning PyPI package and an npm intercom-client release, harvesting cloud, CI/CD, and GitHub credentials. Here is what happened and why ML tooling is now a prime supply chain target.
Why postinstall Scripts Became the Frontline of the Software Supply Chain Attack
Install-time script execution turned npm install and pip install into code-execution events. Here is how 2026's wave of attacks works, and the lockfile, allowlist, and sandbox discipline that actually stops it.
TrapDoor: The Cross-Ecosystem Crypto Stealer That Targeted DeFi Developers (May 2026)
Socket disclosed TrapDoor on May 24, 2026: 34+ malicious packages and 384+ versions across npm, PyPI, and Crates.io built to steal crypto wallets, SSH keys, and cloud credentials from crypto, DeFi, Solana, and AI developers.
Microsoft's durabletask PyPI Package Compromised (19 May 2026): A Linux Wiper and Multi-Cloud Credential Theft
On 19 May 2026, three malicious versions of Microsoft's durabletask PyPI package were uploaded in a 35-minute window. The payload steals AWS, Azure, GCP, and Kubernetes credentials in under four seconds and ships a locale-gated rm -rf wiper.
How to Detect Dependency Confusion Attacks Before They Ship
Dependency confusion still works in 2026 because teams keep missing the same three controls. Here's how to detect and block it in npm, pip, and Maven.
PyPI Trusted Publishing Token Leaks in 2025
Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.
OSS Maintainer Account Takeover Trends 2025
A senior engineer's breakdown of how maintainer account takeovers evolved in 2025, from phishing kits targeting PyPI to session token theft on GitHub and npm.
PyPI 2FA Lessons Two Years In
PyPI mandated 2FA for all maintainers in 2024. Two years in, account takeovers dropped — but attackers shifted to OIDC tokens, abandoned packages, and maintainer devices.
Dependency Confusion: Attack Evolution from 2022 to 2026
Alex Birsan's 2021 disclosure named a class of attacks. Four years on, dependency confusion has evolved across registries, tooling, and victim profiles.
Python Security Explained
How Python's install-time code execution and open PyPI namespace fuel real supply chain attacks — and what actually reduces the risk.
PyPI Security: Malware Campaigns and How to Defend
The Python Package Index has become a first-class malware channel — from the ctx hijack to the ultralytics pipeline compromise. Here are the campaigns worth studying and the defenses that work.