supply chain / pypi

PyPI supply chain monitoring

Attestd monitors 15,000 PyPI packages for malicious publishes, yanked versions with security annotations, and OSV-confirmed malicious advisories. Coverage spans LLM and AI SDKs, data science libraries, web frameworks, cloud SDKs, orchestration tools, and all packages above approximately 500,000 weekly downloads.

PyPI does not require two-factor authentication for all publishers, making account takeover the most common attack vector for high-profile packages. Typosquatting (registering names similar to popular packages) and dependency confusion (publishing a public package that shadows an internal package name) are also active threats. Attestd ingests OSV malicious-package advisories, PyPI yank events with security annotations, and manually verified reports from the Attestd registry.

PyPI attack patterns

Account takeover

An attacker gains control of a PyPI maintainer account through credential phishing or credential stuffing. They publish a new version containing malicious code under the legitimate package name. This is the highest-impact attack class because the malicious version inherits all existing trust from the package.

Typosquatting

An attacker registers a package with a name similar to a popular package (e.g. `requets` instead of `requests`). Users who mistype the package name in `pip install` or `requirements.txt` install the malicious version. PyPI does not block similar-looking names.

Dependency confusion

An attacker discovers an internal package name (through leaked `requirements.txt` files, job postings, or error messages) and publishes a public PyPI package with the same name at a higher version number. Pip resolves the public package over an internal registry if both sources are configured.

CI/CD script injection

A package's `setup.py`, `pyproject.toml` build hooks, or post-install scripts execute arbitrary code during `pip install`. A compromised package can run commands in the CI/CD environment at install time, before the package is ever imported.

Checking a PyPI package

Use the exact PyPI package name as the product parameter. Package names are case-insensitive but lowercase is preferred:

$ curl "https://api.attestd.io/v1/check?product=langchain&version=0.3.0" \
-H "Authorization: Bearer YOUR_API_KEY"

A supply_chain.compromised: false response means no malicious publish was found at the last ingestion. A supply_chain: null response means the package is not in the PyPI watchlist.