pypi
Safeguard articles tagged "pypi" — guides, analysis, and best practices for software supply chain and application security.
69 articles
PyPI Attestation Requirements: A Roadmap Read
PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it means for consumers and publishers over the next 12 months.
PyPI Organization Accounts: The Security Model
PyPI Organization Accounts add real structure to a registry that was individual-first for two decades. A deep look at the security model, what it enables, and what it still doesn't.
What is a Package Registry Mirror
A package registry mirror is a local copy or caching proxy of a public registry. It keeps builds running when npm is down — and controls what enters your supply chain.
PyPI Download Statistics as a Security Signal
PyPI download numbers are noisy, gameable, and widely misused. A closer look at what they actually measure, how to read them for security purposes, and where they break.
Python Wheels vs Source Distributions: Security Implications
Installing an sdist runs someone else's code on your machine; installing a wheel doesn't. That one difference drives most PyPI malware — and most of the right defenses.
SLSA Build Provenance for Python Publish
Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.
PyPI Typosquatting Detection at Scale
Typosquatting remains a steady drumbeat on PyPI. What detection actually looks like when you're trying to catch it at ecosystem scale, and where the interesting edges are.
Python Package Typosquatting in 2024: Scale, Tactics, and Defenses
Typosquatting on PyPI reached industrial scale in 2024, with attackers using automated tooling to register thousands of malicious package names targeting common misspellings of popular libraries.
PyPI Trusted Publishing: An Adoption Guide
Trusted Publishing replaces long-lived PyPI tokens with OIDC-issued short-lived credentials. A practical guide to adoption, pitfalls, and what it changes for your threat model.
PyPI API Token Scopes: An Audit Guide
PyPI API tokens look simple, but how you scope them decides whether a leaked CI secret is a bad day or an ecosystem event. A practical audit guide for security teams.
PyPI Package Yanking Policies Analyzed
Yanking is PyPI's narrow, deliberately blunt tool for dealing with broken releases. A close analysis of what it does, what it doesn't do, and when to use it instead of a delete.
PyPI Supply Chain Attacks: Q1 2024 Roundup
Q1 2024 brought typosquats, stealer campaigns, and a week-long new-user freeze on PyPI. Here is what the attacks looked like and how to defend.