registry-security
Safeguard articles tagged "registry-security" — guides, analysis, and best practices for software supply chain and application security.
9 articles
Inside the npm Reward-Farming Worm That Published 89,000+ Packages
One npm publishing bot exploited a crypto reward protocol to spam 89,000+ packages, some appearing every 7-10 seconds. Here's how it worked and how to spot it.
How Malicious Skills Get Distributed Through Agent Registries
CVE-2025-59536 (CVSS 8.7) let a single malicious commit auto-approve MCP servers in Claude Code, no install click required. Registries need the same controls as package managers.
RubyGems Suspends New Signups After a 500-Package Malicious Flood (May 2026)
On 12-13 May 2026, RubyGems was hit by a coordinated spam-publishing flood that pushed 500+ malicious packages from newly-registered bot accounts. The registry paused new signups and re-enabled them on 16 May after tightening rate limiting with Fastly.
JSR JavaScript Registry Security Model
JSR reimagines JavaScript package distribution with mandatory signing, scoped namespaces, and provenance by default. Here is how the security model works.
Maven Central Malicious Publishing Trends 2025
Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicious artifacts and namespace abuse.
What is Typo-Squatting Detection
Typo-squatting detection identifies malicious packages named one keystroke away from real ones — requets instead of requests — before they reach your build.
rust crates.io Security Model Reviewed
A look at how crates.io handles authentication, yanking, namespace squatting, and the supply chain risks that remain in mid-2024.
npm Registry Governance and the Security of node_modules
The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.
npm Registry Security Gets Serious: 2022's Major Improvements
From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. Here's what changed.