PyPI package security
Extuno scans PyPI packages for supply-chain risk - analyzing wheels and source distributions, running setup.py in a sandbox, and flagging install-time code execution, typosquats, and malicious updates.
What makes PyPI packages risky?
A source distribution can run a setup.py at install time, so code executes the moment a package is installed, before it is imported. Combined with typosquatting and the sheer number of packages, this makes PyPI a recurring supply-chain target.
What does Extuno check on PyPI?
Install-time code execution, network calls and credential reads during install, obfuscated payloads, typosquatting of popular package names, and the poisoned-update pattern across versions.
How does the sandbox handle setup.py?
Extuno runs the install in an ephemeral, network-segmented micro-VM and records process, network, and file behavior, so a malicious setup.py is observed with its endpoint and payload instead of running on your machine.