Stops malicious PyPI packages before installation

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Anant_Dhavale1 from gravatar.com Anant_Dhavale1

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Anant Dhavale
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

pip-guardian

pip-guardian is a security gate in front of pip install to reduce PyPI supply-chain risk.

Why this exists

Package ecosystems are a common attack path. pip-guardian checks package metadata and distribution contents before install, then decides ALLOW, WARN, or BLOCK.

Feature set

1) Pre-install risk policy

  • Version age rules:
    • block if version is very new (default < 5h)
    • warn if version is recent (default < 48h)
  • Blocks yanked releases.
  • Blocks known-compromised versions from local blocklist.
  • Blocks maintainer identities from local blocklist.

2) Deep artifact scanning

  • Downloads wheel/sdist artifacts from PyPI before install.
  • Verifies artifact SHA256 against PyPI metadata.
  • Static scan heuristics for:
    • executable .pth startup hooks
    • sitecustomize.py / usercustomize.py
    • obfuscated payload patterns (e.g., long base64 + dynamic execution)
    • credential-exfiltration-like behavior
    • persistence indicators (e.g., systemd artifacts)
    • Kubernetes lateral-movement indicators

3) Built-in incident guard (LiteLLM March 2026)

  • Blocks:
    • litellm==1.82.7
    • litellm==1.82.8
  • Runbook:
    • docs/INCIDENT_LITELLM_2026.md

4) CI-friendly JSON mode

  • --json emits one machine-readable JSON object.
  • --yes allows non-interactive proceed on WARN.
  • Exit codes:
    • 0 install succeeded
    • 1 blocked, warn-not-confirmed, or pip install failure
    • 2 usage/argument errors

5) Logging

  • Decision logs written as JSONL.
  • Primary path: ~/.pip_guardian/guardian.log
  • Fallback path (if home not writable): ./.pip_guardian/guardian.log

Installation

Not published on PyPI yet.

Install from source:

git clone https://github.com/AnantDhavale/pip-guardian.git
cd pip-guardian
pip install .

Usage

guardian install requests
guardian install litellm==1.82.8
guardian install fastapi --index-url https://pypi.org/simple
guardian install requests --json --yes

Policy and IOC files

  • policies/config.yaml:
    • age thresholds
    • deep-scan score thresholds
    • executable .pth blocking toggle
  • policies/blocklist.json:
    • package/version deny list
    • maintainer deny list

Repository structure

  • guardian/cli.py - command entrypoint
  • guardian/policy_engine.py - risk decision logic
  • guardian/scanner.py - deep artifact scanning
  • guardian/pypi_checker.py - PyPI metadata collection
  • guardian/logger.py - local decision logging

Notes

  • This reduces risk but is not a full malware sandbox.
  • For production, use pinned dependencies and hash-locked installs.

Author

Anant Dhavale
anantdhavale@gmail.com

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Anant_Dhavale1 from gravatar.com Anant_Dhavale1

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Anant Dhavale
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

1.0.1

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pip_guardian-1.0.0.tar.gz (13.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pip_guardian-1.0.0-py3-none-any.whl (13.4 kB view details)

Uploaded Python 3

File details

Details for the file pip_guardian-1.0.0.tar.gz.

File metadata

  • Download URL: pip_guardian-1.0.0.tar.gz
  • Upload date:
  • Size: 13.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pip_guardian-1.0.0.tar.gz
Algorithm Hash digest
SHA256 11759a71a3944fe1a5b81da2543405f3331ab5069cfa9907eebc2853972c8af2
MD5 f2ec3fefb42b38b47626c317bb605dae
BLAKE2b-256 8b05dc46b28c9ad460399273270798120060457c9128ae755b379d8f1bb37996

See more details on using hashes here.

Provenance

The following attestation bundles were made for pip_guardian-1.0.0.tar.gz:

Publisher: python-publish.yml on AnantDhavale/pip-guardian

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pip_guardian-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: pip_guardian-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 13.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pip_guardian-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 063c5bbc376a7e63534d1b84285835120b68cfb81a29ebc017236107e35d5050
MD5 3e311cc229d22e4872d1c200d7deee8e
BLAKE2b-256 ecdab58aa5ca72c442cebea7033bdb66c1142da08a8ec03409fb03a80cfa2a44

See more details on using hashes here.

Provenance

The following attestation bundles were made for pip_guardian-1.0.0-py3-none-any.whl:

Publisher: python-publish.yml on AnantDhavale/pip-guardian

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page