Safeguard
Tag

pypi

Safeguard articles tagged "pypi" — guides, analysis, and best practices for software supply chain and application security.

69 articles

Open Source Security

The March 2023 PyPI Malware Wave

PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the index. Here is what happened and why.

Mar 28, 20235 min read
Open Source Security

PyPI Mandatory 2FA for Critical Packages: A Turning Point for Python Security

PyPI's decision to require two-factor authentication for critical package maintainers marks a significant step toward securing the Python supply chain.

Feb 10, 20236 min read
Open Source Security

PyPI Malware Campaigns Surge in Q4 2022: A Roundup of the Worst Offenders

Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shells. Here's what we found.

Dec 5, 20226 min read
Dependency Security

Python Package Security Best Practices

Practical techniques for securing your Python supply chain, from pip and PyPI to virtual environments and hash verification.

Nov 18, 20225 min read
Software Supply Chain Security

PyPI Namespace Squatting: How Attackers Exploit Python's Flat Package Namespace

Python's package registry has no namespace protection. Attackers exploit this with typosquatting, namespace confusion, and abandoned name reclamation. Here is how to protect your Python supply chain.

Nov 5, 20225 min read
Supply Chain Attacks

PyPI Supply Chain Attacks: The ctx Package Compromise

The ctx package on PyPI was hijacked to steal environment variables from developer machines. The attack exploited an expired domain to take over a maintainer account — a novel and repeatable technique.

May 20, 20225 min read
Open Source Security

Python PyPI Malware Campaigns in 2021

Malicious packages on PyPI surged in 2021, targeting developers with credential stealers, backdoors, and data exfiltration. Here's what the campaigns look like and how to defend against them.

Oct 15, 20215 min read
Supply Chain Attacks

Typosquatting Attacks on npm and PyPI Explained

Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.

Aug 10, 20215 min read
Supply Chain Attacks

Dependency Confusion Attacks Explained

Alex Birsan's research showed how internal package names can be exploited to inject malicious code into corporate build systems. Here's how the attack works and how to defend against it.

Jun 10, 20216 min read
pypi (Page 6) — Safeguard Blog