Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Typosquatting on PyPI reached industrial scale in 2024, with attackers using automated tooling to register thousands of malicious package names targeting common misspellings of popular libraries.
Trademarks matter in open source security because they are the signal of authentic origin. When trademark policies fail, typosquatting, impostor forks, and compromised builds follow.
Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
A sustained campaign flooded PyPI with hundreds of malicious packages using typosquatting and dependency confusion to steal credentials and cryptocurrency from developers.
Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.
PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the index. Here is what happened and why.
Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shells. Here's what we found.
Attackers exploit human typos to distribute malware through package registries. Here's how typosquatting works, real examples, and how to protect your builds.
Weekly insights on software supply chain security, delivered to your inbox.