Typosquatting, dependency confusion, supply chain attack, call it as you wish

Complex topic.

Some random notes from me.

Yes, hosting your own server or mirror or proxy is a viable solution:

Seems like there are commercial solutions available with curated packages (at least that is what I understood from the descriptions, not endorsement from me):

There are some tools you could add to your infrastructure (CI/CD pipelines for example), just to name a few:

As far as I can tell, the major code forges (GitHub, GitLab) have built-in tools and tooling to warn against potential security issues in your code:

There is (was) a proposal to strengthen Python packaging ecosystem against “dependency confusion attacks”:

3 Likes