Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
PyPI faced a surge of malicious package uploads in early 2025, targeting data science, AI/ML, and cloud development workflows. Here's the full picture.
PEP 740 brings Sigstore-style attestations to PyPI. A close read of the roadmap, what's actually shipped, and what it means for consumers and publishers over the next 12 months.
PyPI Organization Accounts add real structure to a registry that was individual-first for two decades. A deep look at the security model, what it enables, and what it still doesn't.
PyPI download numbers are noisy, gameable, and widely misused. A closer look at what they actually measure, how to read them for security purposes, and where they break.
Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.
Typosquatting remains a steady drumbeat on PyPI. What detection actually looks like when you're trying to catch it at ecosystem scale, and where the interesting edges are.
Trusted Publishing replaces long-lived PyPI tokens with OIDC-issued short-lived credentials. A practical guide to adoption, pitfalls, and what it changes for your threat model.
PyPI API tokens look simple, but how you scope them decides whether a leaked CI secret is a bad day or an ecosystem event. A practical audit guide for security teams.
Yanking is PyPI's narrow, deliberately blunt tool for dealing with broken releases. A close analysis of what it does, what it doesn't do, and when to use it instead of a delete.
Weekly insights on software supply chain security, delivered to your inbox.