pypi
Safeguard articles tagged "pypi" — guides, analysis, and best practices for software supply chain and application security.
69 articles
The March 2023 PyPI Malware Wave
PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the index. Here is what happened and why.
PyPI Mandatory 2FA for Critical Packages: A Turning Point for Python Security
PyPI's decision to require two-factor authentication for critical package maintainers marks a significant step toward securing the Python supply chain.
PyPI Malware Campaigns Surge in Q4 2022: A Roundup of the Worst Offenders
Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shells. Here's what we found.
Python Package Security Best Practices
Practical techniques for securing your Python supply chain, from pip and PyPI to virtual environments and hash verification.
PyPI Namespace Squatting: How Attackers Exploit Python's Flat Package Namespace
Python's package registry has no namespace protection. Attackers exploit this with typosquatting, namespace confusion, and abandoned name reclamation. Here is how to protect your Python supply chain.
PyPI Supply Chain Attacks: The ctx Package Compromise
The ctx package on PyPI was hijacked to steal environment variables from developer machines. The attack exploited an expired domain to take over a maintainer account — a novel and repeatable technique.
Python PyPI Malware Campaigns in 2021
Malicious packages on PyPI surged in 2021, targeting developers with credential stealers, backdoors, and data exfiltration. Here's what the campaigns look like and how to defend against them.
Typosquatting Attacks on npm and PyPI Explained
Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.
Dependency Confusion Attacks Explained
Alex Birsan's research showed how internal package names can be exploited to inject malicious code into corporate build systems. Here's how the attack works and how to defend against it.