python
Safeguard articles tagged "python" — guides, analysis, and best practices for software supply chain and application security.
76 articles
Python setuptools Security Considerations
setuptools is the default Python packaging backend and its security properties matter for anyone who builds, installs, or runs Python code. Here is what to watch.
Python Packaging Authority and the Security of pip install
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
Massive PyPI Malware Campaign Targets Developers with Credential Stealers
A sustained campaign flooded PyPI with hundreds of malicious packages using typosquatting and dependency confusion to steal credentials and cryptocurrency from developers.
Pipenv Security Posture Review
Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.
pip Install Hooks Security: The Python Packaging Backdoor
Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.
Python Wheel Security Verification: What You Are Missing
Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.
Flask Application Security: A Deep Dive
Flask gives you room to make mistakes. This is a long look at the patterns that keep Flask apps safe in 2023, covering sessions, extensions, Werkzeug, and Jinja.
Django Security and Supply Chain Guide
Securing Django applications with built-in security features, dependency management, and supply chain protections.
The March 2023 PyPI Malware Wave
PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the index. Here is what happened and why.
PyPI Malware Campaigns Surge in Q4 2022: A Roundup of the Worst Offenders
Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shells. Here's what we found.
Python Package Security Best Practices
Practical techniques for securing your Python supply chain, from pip and PyPI to virtual environments and hash verification.
PyPI Namespace Squatting: How Attackers Exploit Python's Flat Package Namespace
Python's package registry has no namespace protection. Attackers exploit this with typosquatting, namespace confusion, and abandoned name reclamation. Here is how to protect your Python supply chain.