Secure pip wrapper with supply chain attack protection
Project description
stillrunning-pip
The zero-config pip wrapper that catches malicious packages before they install. Try it in 5 seconds. No setup, no signup, no config.
Try it now
pip install stillrunning-pip
stillrunning-pip install requests
That's it. Every package you install is now checked against 200,000+ verified malicious packages from OSV.dev, GitHub Advisory, and 6 other threat intelligence sources, updated nightly.
What you get for free
- 10 scans per day per IP, no signup required
- Blocks confirmed-malicious packages automatically
- Warns about suspicious packages
- Works with
pip install <pkg>andpip install -r requirements.txt - 5-second installs, 5-second scans
Replace pip globally (optional)
alias pip='stillrunning-pip'
Add to ~/.bashrc or ~/.zshrc for every install in every project to be scanned.
Hit the rate limit?
Get the full stillrunning package — covers pip, uv, poetry, pdm, pipenv, conda, pixi, npm, bun, pnpm, with unlimited scans, AI analysis of unknown packages, and import-time protection:
pip install stillrunning
stillrunning.io/pricing for paid tiers.
How it works
Before each install, stillrunning-pip queries the public API:
GET https://stillrunning.io/api/check-package?name=<pkg>
If the package is on the verified blocklist, the install is halted with a clear message. Every block traces back to a public security advisory you can verify yourself at stillrunning.io/security-advisories.
Power user features
Set STILLRUNNING_TOKEN to unlock unlimited scans and AI analysis of unknown packages. Get a token at stillrunning.io/pricing.
export STILLRUNNING_TOKEN=sr_...
stillrunning-pip install <pkg>
Bypass scanning
If you need to install something stillrunning is blocking and you've verified it's safe:
pip install <package>
Just use vanilla pip directly. stillrunning-pip is opt-in via being the binary you call.
Relationship to stillrunning
stillrunning-pip is the simplest member of the stillrunning family. It does one thing: scans pip installs against the verified threat database.
For broader coverage (uv, poetry, pdm, pipenv, conda, pixi, npm, bun, pnpm), import-time protection, MCP server for Claude Code, GitHub Action for CI, and unlimited scans, install the main package: pip install stillrunning.
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file stillrunning_pip-1.1.0.tar.gz.
File metadata
- Download URL: stillrunning_pip-1.1.0.tar.gz
- Upload date:
- Size: 5.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
30d108cbe70ddd550225fc422581a62c72945e57499678d84eb6cddf11ad833c
|
|
| MD5 |
aa60ec5af5c8567d05e298e847651334
|
|
| BLAKE2b-256 |
1ea564ad89a3001292af760c3f8d2efd2bb9776fb16eaed9a3f014f97517eb23
|
File details
Details for the file stillrunning_pip-1.1.0-py3-none-any.whl.
File metadata
- Download URL: stillrunning_pip-1.1.0-py3-none-any.whl
- Upload date:
- Size: 6.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cd8827b57b818933249dde76c5867cbabad09c09f6ee45ab4ae8683f0d336932
|
|
| MD5 |
eff1109d5d472e455efbd733f32a561a
|
|
| BLAKE2b-256 |
56581b970a28726eb10b44d433ad21f5c573642c60e86dd99da134636d7aa0c5
|
