Package registryPyPI
PyPI packages, inspected at install time.
A poisoned PyPI release can execute code from setup.py or an import hook. Extuno diffs each version and runs it in a sandbox - with static, dynamic, and AI analysis on every scan.
PyPI - live inspectionInspecting
requests 2.31.0
pypi package
2.30.0->2.31.0pypi package
Static
Dynamic
AI
Analyzing update
What Extuno catches in PyPI
Evidence, not guesswork.
Each finding names the change, why it is dangerous, and the recommended action.
Diff finding
setup.py execution
Code in setup.py runs during pip install and reaches outside the package.
Critical
Diff finding
Typosquat payload
A near-name package carries an exfiltration routine in its import hook.
Critical
Diff finding
New install dependency
The release pulls an extra dependency that opens a network socket.
Review
See it on a poisoned update
Install-time code, caught before pip runs it
Extuno executes setup.py in a sandbox and records the network call it makes.
- + Vulnerability and secret-leak testing on every version
- + Static analysis reads the package without running it
- + Dynamic sandbox runs it live and records behavior
- + AI code analysis reads the full source and correlates the change against prior versions
your-service
requests 2.31.0
numpy 1.26.4
flask 3.0.0
colorama-helper 0.0.3setup.py
colorama-helperpypi-stats.io
Scan your first PyPI package free.
Your first 5 credits are free - that is 5 full scans, no card required.