Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.
Researchers tracked a PyPI campaign publishing malicious packages under the mexalz and related account names, targeting Python developers with infostealers.
PyPI trusted publishing removed a whole class of token leaks, but teams keep tripping over the same half-dozen configuration mistakes. Here is what to watch for.
Cython-built Python extensions ship as platform-specific binaries with a build toolchain behind them. That introduces supply chain surface most teams have not mapped.
PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.
Typosquatting on PyPI reached industrial scale in 2024, with attackers using automated tooling to register thousands of malicious package names targeting common misspellings of popular libraries.
Pydantic v2 rewrote the core in Rust and changed validation semantics. Here is what that means for security-sensitive code, from input coercion to ReDoS exposure.
FastAPI's dependency surface is deceptively large. Here is how to lock it down in practice, covering Starlette, Pydantic, Uvicorn, and the plugins you likely missed.
Securing FastAPI applications with Pydantic validation, OAuth2 integration, and dependency injection patterns.
Weekly insights on software supply chain security, delivered to your inbox.