Safeguard
Tag

pypi

Safeguard articles tagged "pypi" — guides, analysis, and best practices for software supply chain and application security.

69 articles

Open Source Security

PyPI Attestation Requirements: A Roadmap Read

PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it means for consumers and publishers over the next 12 months.

Mar 10, 20257 min read
Open Source Security

PyPI Organization Accounts: The Security Model

PyPI Organization Accounts add real structure to a registry that was individual-first for two decades. A deep look at the security model, what it enables, and what it still doesn't.

Jan 20, 20257 min read
Concepts

What is a Package Registry Mirror

A package registry mirror is a local copy or caching proxy of a public registry. It keeps builds running when npm is down — and controls what enters your supply chain.

Dec 17, 20246 min read
Open Source Security

PyPI Download Statistics as a Security Signal

PyPI download numbers are noisy, gameable, and widely misused. A closer look at what they actually measure, how to read them for security purposes, and where they break.

Dec 15, 20246 min read
Engineering

Python Wheels vs Source Distributions: Security Implications

Installing an sdist runs someone else's code on your machine; installing a wheel doesn't. That one difference drives most PyPI malware — and most of the right defenses.

Nov 27, 20246 min read
SBOM & Compliance

SLSA Build Provenance for Python Publish

Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.

Oct 15, 20247 min read
Open Source Security

PyPI Typosquatting Detection at Scale

Typosquatting remains a steady drumbeat on PyPI. What detection actually looks like when you're trying to catch it at ecosystem scale, and where the interesting edges are.

Sep 18, 20247 min read
Supply Chain Security

Python Package Typosquatting in 2024: Scale, Tactics, and Defenses

Typosquatting on PyPI reached industrial scale in 2024, with attackers using automated tooling to register thousands of malicious package names targeting common misspellings of popular libraries.

Sep 8, 20246 min read
Open Source Security

PyPI Trusted Publishing: An Adoption Guide

Trusted Publishing replaces long-lived PyPI tokens with OIDC-issued short-lived credentials. A practical guide to adoption, pitfalls, and what it changes for your threat model.

Aug 30, 20246 min read
Open Source Security

PyPI API Token Scopes: An Audit Guide

PyPI API tokens look simple, but how you scope them decides whether a leaked CI secret is a bad day or an ecosystem event. A practical audit guide for security teams.

Jun 22, 20246 min read
Open Source Security

PyPI Package Yanking Policies Analyzed

Yanking is PyPI's narrow, deliberately blunt tool for dealing with broken releases. A close analysis of what it does, what it doesn't do, and when to use it instead of a delete.

May 22, 20247 min read
Open Source Security

PyPI Supply Chain Attacks: Q1 2024 Roundup

Q1 2024 brought typosquats, stealer campaigns, and a week-long new-user freeze on PyPI. Here is what the attacks looked like and how to defend.

Apr 22, 20245 min read
pypi (Page 4) — Safeguard Blog