PyPI ecosystem

PyPI package security

In short

Extuno scans PyPI packages for supply-chain risk - analyzing wheels and source distributions, running setup.py in a sandbox, and flagging install-time code execution, typosquats, and malicious updates.

What makes PyPI packages risky?

A source distribution can run a setup.py at install time, so code executes the moment a package is installed, before it is imported. Combined with typosquatting and the sheer number of packages, this makes PyPI a recurring supply-chain target.

What does Extuno check on PyPI?

Install-time code execution, network calls and credential reads during install, obfuscated payloads, typosquatting of popular package names, and the poisoned-update pattern across versions.

How does the sandbox handle setup.py?

Extuno runs the install in an ephemeral, network-segmented micro-VM and records process, network, and file behavior, so a malicious setup.py is observed with its endpoint and payload instead of running on your machine.

FAQ

Common questions

Can a PyPI package run code on install?
Yes. A source distribution's setup.py executes during installation, which is why install-time analysis matters as much as reading the source.
Does Extuno cover both wheels and sdists?
Yes. It analyzes wheels and source distributions, and runs the install path in a sandbox to capture setup.py behavior.