Safeguard
Tag

registry-security

Safeguard articles tagged "registry-security" — guides, analysis, and best practices for software supply chain and application security.

9 articles

Supply Chain Attacks

Inside the npm Reward-Farming Worm That Published 89,000+ Packages

One npm publishing bot exploited a crypto reward protocol to spam 89,000+ packages, some appearing every 7-10 seconds. Here's how it worked and how to spot it.

Jul 9, 20267 min read
Supply Chain Attacks

How Malicious Skills Get Distributed Through Agent Registries

CVE-2025-59536 (CVSS 8.7) let a single malicious commit auto-approve MCP servers in Claude Code, no install click required. Registries need the same controls as package managers.

Jul 8, 20266 min read
Supply Chain Attacks

RubyGems Suspends New Signups After a 500-Package Malicious Flood (May 2026)

On 12-13 May 2026, RubyGems was hit by a coordinated spam-publishing flood that pushed 500+ malicious packages from newly-registered bot accounts. The registry paused new signups and re-enabled them on 16 May after tightening rate limiting with Fastly.

May 14, 20269 min read
Open Source Security

JSR JavaScript Registry Security Model

JSR reimagines JavaScript package distribution with mandatory signing, scoped namespaces, and provenance by default. Here is how the security model works.

Mar 8, 20265 min read
Supply Chain Attacks

Maven Central Malicious Publishing Trends 2025

Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicious artifacts and namespace abuse.

Feb 10, 20266 min read
Concepts

What is Typo-Squatting Detection

Typo-squatting detection identifies malicious packages named one keystroke away from real ones — requets instead of requests — before they reach your build.

Jun 7, 20256 min read
Open Source Security

rust crates.io Security Model Reviewed

A look at how crates.io handles authentication, yanking, namespace squatting, and the supply chain risks that remain in mid-2024.

Jul 14, 20246 min read
Open Source Security

npm Registry Governance and the Security of node_modules

The npm registry serves billions of downloads per week. Its governance decisions directly impact the security of every Node.js application on the planet.

Jan 8, 20247 min read
Open Source Security

npm Registry Security Gets Serious: 2022's Major Improvements

From mandatory MFA for top packages to enhanced login verification, npm made significant security improvements in 2022. Here's what changed.

Oct 1, 20226 min read
registry-security — Safeguard Blog