Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
PyPI faced a surge of malicious package uploads in early 2025, targeting data science, AI/ML, and cloud development workflows. Here's the full picture.
Python packages on PyPI can carry SLSA provenance via PEP 740. Here is the publish workflow, the verification story, and the parts that still do not quite fit together.
Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.
Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.
Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shells. Here's what we found.
Python's package registry has no namespace protection. Attackers exploit this with typosquatting, namespace confusion, and abandoned name reclamation. Here is how to protect your Python supply chain.
Bandit scans Python code for security issues. Here is how to configure it so it catches real bugs without burying your team in false positives.
Running pip install can execute arbitrary code on your machine before you ever import the package. Here is how install hooks create risk.
The ctx package on PyPI was hijacked to steal environment variables from developer machines. The attack exploited an expired domain to take over a maintainer account — a novel and repeatable technique.
Weekly insights on software supply chain security, delivered to your inbox.