Safeguard
Tag

pypi

Safeguard articles tagged "pypi" — guides, analysis, and best practices for software supply chain and application security.

69 articles

Open Source Security

PyPI Package Namespace Governance

PyPI's flat global namespace is one of Python packaging's oldest design decisions. How it's governed today, where the tension points are, and what the PEP 752 debate means for the future.

Apr 18, 20246 min read
Open Source Security

PyPI Account Recovery: A Security Model Review

Account recovery is where most identity systems leak security, and PyPI is no exception. A close look at how recovery works today, where the edges are, and what enterprise publishers should plan around.

Mar 14, 20246 min read
Software Supply Chain Security

Dependency Confusion in Private Registries: The Attack That Keeps Working

Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.

Feb 20, 20245 min read
Open Source Security

How to Detect Typosquatting in Package Installs

Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.

Jan 15, 20245 min read
Open Source Security

How to Verify a PyPI Package Before Install

A practical pre-install verification workflow for PyPI packages covering sigstore attestations, maintainer checks, and sdist auditing.

Dec 5, 20235 min read
Open Source Security

PyPI 2FA Enrollment: Enterprise Rollout

PyPI's 2FA mandate isn't just a personal-account concern anymore — enterprises publishing Python libraries have real rollout work to do. A playbook from the front lines.

Oct 28, 20236 min read
Supply Chain Security

Package Registry Mirroring: Security Benefits and Hidden Risks

Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.

Oct 8, 20235 min read
Open Source Security

Python Packaging Authority and the Security of pip install

Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.

Sep 15, 20237 min read
Supply Chain Attacks

Massive PyPI Malware Campaign Targets Developers with Credential Stealers

A sustained campaign flooded PyPI with hundreds of malicious packages using typosquatting and dependency confusion to steal credentials and cryptocurrency from developers.

Sep 5, 20235 min read
Software Supply Chain Security

Python Wheel Security Verification: What You Are Missing

Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.

Jul 22, 20235 min read
Supply Chain Security

Domain Squatting and Package Registry Attacks

Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.

Jul 5, 20236 min read
Open Source Security

Open Source Malware Detection Techniques for Package Registries

Malicious packages on npm, PyPI, and other registries are surging. Here are the techniques researchers and tools use to detect them.

May 20, 20236 min read
pypi (Page 5) — Safeguard Blog