Safeguard
Tag

python

Safeguard articles tagged "python" — guides, analysis, and best practices for software supply chain and application security.

76 articles

Supply Chain

PyPI Security: Malware Campaigns and How to Defend

The Python Package Index has become a first-class malware channel — from the ctx hijack to the ultralytics pipeline compromise. Here are the campaigns worth studying and the defenses that work.

Feb 12, 20266 min read
Supply Chain Attacks

PyPI mexalz Malware Campaign Deep Dive

Researchers tracked a PyPI campaign publishing malicious packages under the mexalz and related account names, targeting Python developers with infostealers.

Feb 2, 20266 min read
Open Source Security

PyPI Trusted Publishing Common Pitfalls

PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configuration mistakes. Here is what to watch for.

Jan 28, 20267 min read
Application Security

FastAPI Authentication Best Practices in 2026

Practical, opinionated guidance on authentication in FastAPI: token formats, dependency patterns, refresh flows, and the mistakes we still see in production code reviews.

Jan 22, 20265 min read
Vulnerability Analysis

Python setuptools package_index ReDoS (CVE-2022-40897)

CVE-2022-40897 is a ReDoS flaw in setuptools' package_index.py that can hang CI pipelines when parsing crafted index pages. Here's how to detect and fix it.

Dec 31, 20257 min read
Vulnerability Analysis

CVE-2022-34265: SQL injection via Trunc/Extract database ...

A technical breakdown of CVE-2022-34265, the Django SQL injection flaw in Trunc() and Extract(), covering affected versions, risk, and remediation steps.

Oct 8, 20257 min read
Application Security

CVE-2021-25288: Buffer overflow in Pillow FLI decoder

CVE-2021-25288 is a buffer overflow in Pillow's FLI decoder, fixed in Pillow 8.1.0. Here's what's affected, the risk profile, and how to remediate.

Oct 5, 20258 min read
Vulnerability Analysis

CVE-2023-30861: Flask session cookie disclosure to templates

CVE-2023-30861 lets caching proxies leak Flask session cookies between users when responses aren't marked Vary: Cookie. Here's who's affected and how to fix it.

Oct 4, 20258 min read
Supply Chain Security

PyPI Malicious Packages 2025: Python's Growing Supply Chain Problem

PyPI faced a surge of malicious package uploads in early 2025, targeting data science, AI/ML, and cloud development workflows. Here's the full picture.

Mar 28, 20256 min read
Open Source Security

Python Cython Extensions and the Supply Chain

Cython-built Python extensions ship as platform-specific binaries with a build toolchain behind them. That introduces supply chain surface most teams have not mapped.

Feb 14, 20257 min read
Engineering

Python Wheels vs Source Distributions: Security Implications

Installing an sdist runs someone else's code on your machine; installing a wheel doesn't. That one difference drives most PyPI malware — and most of the right defenses.

Nov 27, 20246 min read
DevSecOps

Signing Python Wheels in Production

PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.

Nov 12, 20246 min read
python (Page 4) — Safeguard Blog