Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Between 2023 and 2024 the VS Code Marketplace saw a string of typosquat, hijack, and impersonation incidents that shaped Microsoft's eventual hardening response. This is a composite postmortem of what happened, what changed, and what is still broken in 2026.
A repository named Open-OSS/privacy-filter impersonated OpenAI's release, copied its model card verbatim, and shipped a loader.py that pulled an infostealer. It reached #1 trending with ~244,000 downloads before removal.
Typosquatting on PyPI reached industrial scale in 2024, with attackers using automated tooling to register thousands of malicious package names targeting common misspellings of popular libraries.
Trademarks matter in open source security because they are the signal of authentic origin. When trademark policies fail, typosquatting, impostor forks, and compromised builds follow.
Build a pre-install guard that catches typosquatted npm, PyPI, and RubyGems dependencies using Levenshtein distance, download-count heuristics, and registry APIs.
Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.
A sustained campaign flooded PyPI with hundreds of malicious packages using typosquatting and dependency confusion to steal credentials and cryptocurrency from developers.
Typosquatting and domain squatting in package registries trick developers into installing malicious packages. The attack is trivially easy to execute and remarkably effective.
PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the index. Here is what happened and why.
Weekly insights on software supply chain security, delivered to your inbox.