pypi
Safeguard articles tagged "pypi" — guides, analysis, and best practices for software supply chain and application security.
69 articles
PyPI Package Namespace Governance
PyPI's flat global namespace is one of Python packaging's oldest design decisions. How it's governed today, where the tension points are, and what the PEP 752 debate means for the future.
PyPI Account Recovery: A Security Model Review
Account recovery is where most identity systems leak security, and PyPI is no exception. A close look at how recovery works today, where the edges are, and what enterprise publishers should plan around.
Dependency Confusion in Private Registries: The Attack That Keeps Working
Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.
How to Detect Typosquatting in Package Installs
Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.
How to Verify a PyPI Package Before Install
A practical pre-install verification workflow for PyPI packages covering sigstore attestations, maintainer checks, and sdist auditing.
PyPI 2FA Enrollment: Enterprise Rollout
PyPI's 2FA mandate isn't just a personal-account concern anymore — enterprises publishing Python libraries have real rollout work to do. A playbook from the front lines.
Package Registry Mirroring: Security Benefits and Hidden Risks
Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.
Python Packaging Authority and the Security of pip install
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
Massive PyPI Malware Campaign Targets Developers with Credential Stealers
A sustained campaign flooded PyPI with hundreds of malicious packages using typosquatting and dependency confusion to steal credentials and cryptocurrency from developers.
Python Wheel Security Verification: What You Are Missing
Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.
Domain Squatting and Package Registry Attacks
Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.
Open Source Malware Detection Techniques for Package Registries
Malicious packages on npm, PyPI, and other registries are surging. Here are the techniques researchers and tools use to detect them.