Secure pip wrapper with supply chain attack protection
Project description
stillrunning-pip
Secure pip wrapper that scans packages for supply chain attacks before installing.
Installation
pip install stillrunning-pip
Usage
Use stillrunning-pip instead of pip:
stillrunning-pip install requests flask
stillrunning-pip install -r requirements.txt
Or create an alias:
# Add to ~/.bashrc or ~/.zshrc
alias pip='stillrunning-pip'
Setup
Configure your token and preferences:
stillrunning-pip --setup
Or create ~/.stillrunning/config.json manually:
{
"token": "sr_your_token_here",
"block_dangerous": true,
"warn_suspicious": true,
"offline_mode": "warn"
}
Example Output
🛡️ stillrunning security scan
Checking 5 package(s)...
✅ CLEAN requests==2.31.0
✅ CLEAN flask==2.3.0
⚠️ WARNING sketchy-lib==1.0.0
→ Obfuscated code patterns detected
🚫 BLOCKED evil-pkg==0.1.0
→ Known malicious package (reverse shell)
❌ Installation blocked
1 dangerous package(s) detected
Configuration Options
| Option | Default | Description |
|---|---|---|
token |
"" |
stillrunning.io API token for AI scanning |
block_dangerous |
true |
Block installs for dangerous packages |
warn_suspicious |
true |
Show warnings for suspicious packages |
offline_mode |
"warn" |
Behavior when API unreachable: warn, block, allow |
timeout |
30 |
API timeout in seconds |
Environment Variables
STILLRUNNING_TOKEN— Override token from config
Free vs Paid
| Feature | Free | With Token |
|---|---|---|
| Known malicious packages | Blocked | Blocked |
| Threat feed database | Checked | Checked |
| AI analysis of unknown packages | - | Yes |
| Scans per day | Unlimited (cached) | 100-10000 |
Get a token at stillrunning.io/pricing
What It Detects
- Known malicious packages — Packages in our threat database (DPRK campaigns, typosquats, backdoors)
- Typosquatting — Packages with names similar to popular packages
- AI-flagged packages — Obfuscated code, credential harvesting, reverse shells
Bypass (Not Recommended)
To bypass scanning for a single install:
pip install <package> # Use pip directly
Uninstall
pip uninstall stillrunning-pip
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file stillrunning_pip-1.0.0.tar.gz.
File metadata
- Download URL: stillrunning_pip-1.0.0.tar.gz
- Upload date:
- Size: 6.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8cc49b38ab304751c44e9be3417befd9690842c138b6908a440d806c0b4ec57b
|
|
| MD5 |
75eca06655c9f3f1d817568fa3c8d7ce
|
|
| BLAKE2b-256 |
2e1cd40fe26744b3d8b9b749e6b0df5c6e9565ef583991d90b25f0fe77e93d10
|
File details
Details for the file stillrunning_pip-1.0.0-py3-none-any.whl.
File metadata
- Download URL: stillrunning_pip-1.0.0-py3-none-any.whl
- Upload date:
- Size: 7.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f16749130f5d9c6235f4e47db24433084f65bde25587b97c792b761277aa0631
|
|
| MD5 |
8826351ef2a63e4761faeb3d4b1dfcc7
|
|
| BLAKE2b-256 |
ec6a4058a0004ad69eb5ae13bededdf7f352961a0b5aa2614e9e947ec590d4dc
|
