Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
PyPI's flat global namespace is one of Python packaging's oldest design decisions. How it's governed today, where the tension points are, and what the PEP 752 debate means for the future.
Account recovery is where most identity systems leak security, and PyPI is no exception. A close look at how recovery works today, where the edges are, and what enterprise publishers should plan around.
Dependency confusion exploits the gap between public and private package registries. Despite widespread awareness, organizations keep falling for it.
PyPI's 2FA mandate isn't just a personal-account concern anymore — enterprises publishing Python libraries have real rollout work to do. A playbook from the front lines.
Mirroring npm, PyPI, or Maven Central locally reduces dependency on external infrastructure. But mirrors introduce their own security considerations that most teams overlook.
Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.
Malicious packages on npm, PyPI, and other registries are surging. Here are the techniques researchers and tools use to detect them.
PyPI's decision to require two-factor authentication for critical package maintainers marks a significant step toward securing the Python supply chain.
Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shells. Here's what we found.
Weekly insights on software supply chain security, delivered to your inbox.