Package registryPyPI

PyPI packages, inspected at install time.

A poisoned PyPI release can execute code from setup.py or an import hook. Extuno diffs each version and runs it in a sandbox - with static, dynamic, and AI analysis on every scan.

PyPI - live inspectionInspecting
requests 2.31.0
pypi package
2.30.0->2.31.0
Static
Dynamic
AI
Analyzing update
What Extuno catches in PyPI

Evidence, not guesswork.

Each finding names the change, why it is dangerous, and the recommended action.

Diff finding

setup.py execution

Code in setup.py runs during pip install and reaches outside the package.

Critical
Diff finding

Typosquat payload

A near-name package carries an exfiltration routine in its import hook.

Critical
Diff finding

New install dependency

The release pulls an extra dependency that opens a network socket.

Review
See it on a poisoned update

Install-time code, caught before pip runs it

Extuno executes setup.py in a sandbox and records the network call it makes.

  • + Vulnerability and secret-leak testing on every version
  • + Static analysis reads the package without running it
  • + Dynamic sandbox runs it live and records behavior
  • + AI code analysis reads the full source and correlates the change against prior versions
your-service
requests 2.31.0
numpy 1.26.4
flask 3.0.0
colorama-helper 0.0.3setup.py
colorama-helperpypi-stats.io

Scan your first PyPI package free.

Your first 5 credits are free - that is 5 full scans, no card required.