Safeguard
Open Source Security

PyPI typosquatting and malicious package report

A 2026 look at PyPI typosquatting trends: attack patterns, CI/CD targeting, info-stealer payloads, and how to defend the Python supply chain.

Safeguard Research Team
Research
7 min read

Safeguard Research Team — July 2026. Between January and June 2026, Safeguard's threat research pipeline flagged 1,148 packages published to the Python Package Index (PyPI) that were later confirmed or strongly suspected to be typosquats of popular open-source libraries. That is an average of roughly 190 malicious or deceptive uploads per month — a pace consistent with the steady year-over-year climb the ecosystem has seen since 2023, when campaigns like W4SP Stealer and the "colourama" family first demonstrated how cheaply an attacker could weaponize a misspelled pip install. PyPI's own removal logs and third-party mirrors show a similar shape: bursts of coordinated uploads, often dozens of near-identical package names registered within minutes of each other, followed by rapid takedown once security researchers or PyPI's automated malware detection catches up.

The persistence of typosquatting as an attack vector says less about attacker sophistication and more about the economics of open-source distribution. Registering a package name costs nothing, review is largely automated or after-the-fact, and a single successful install on a CI runner or developer laptop can yield credentials, source code, or a foothold for further lateral movement. For security teams managing hundreds or thousands of Python dependencies across engineering, typosquatting isn't a rare, exotic incident — it's a background noise-level risk that occasionally becomes a five-alarm fire.

What the Data Shows

Safeguard's telemetry, cross-referenced against public advisories and PyPI's malware removal history, points to a few consistent patterns in the 2025–2026 window:

  • Targets cluster around the most-downloaded packages. requests, numpy, pandas, beautifulsoup4, colorama, pyyaml, and python-dateutil remain the most frequently impersonated names, exactly because their popularity maximizes the odds of an accidental install. Variants we've observed include single-character swaps (reqeusts, nunpy), hyphen/underscore confusion (python-dateutil vs. python_dateutil), and combosquats that append plausible-sounding suffixes (requests-utils, colorama-tools).
  • Payloads have matured from noisy to quiet. Early typosquat campaigns favored loud behavior — reverse shells, obvious os.system calls in setup.py. The packages Safeguard flagged in 2026 increasingly delay execution, fetch second-stage payloads from short-lived infrastructure, and specifically fingerprint CI environment variables (CI, GITHUB_ACTIONS, GITLAB_CI) before deciding whether to exfiltrate anything — a strong signal that CI/CD pipelines, not just developer workstations, are the priority target.
  • Info-stealer families dominate. The majority of confirmed-malicious packages we analyzed carried credential- and token-harvesting logic aimed at .aws/credentials, .npmrc, browser-stored passwords, SSH keys, and environment variables — consistent with the broader W4SP/"Stealer-as-a-Service" lineage that has circulated on PyPI since 2022 and continues to be repackaged under new names.
  • Install-time execution remains the primary trigger. The overwhelming majority of malicious packages execute code at install time via setup.py, malicious build backends, or __init__.py side effects — meaning the compromise happens before a developer ever imports the package or reads a line of its code. Static "does this look suspicious" review after the fact is already too late for this category.
  • Takedown speed varies widely. Some campaigns are pulled within hours thanks to community reporting and PyPI's abuse tooling; others persist for days or weeks, particularly when the package name targets a mid-popularity library that isn't on any curated watchlist. That gap is where real damage tends to occur, since it's also where automated security tooling is least likely to have generated a signature yet.

Why Typosquatting Keeps Working

Three structural conditions keep this attack class viable, and none of them are going away soon.

First, namespace flatness. PyPI, like npm and most language registries, has no hierarchical or organizational namespacing for the vast majority of packages, so requests and reqeusts are equally "real" names with no built-in signal distinguishing legitimate ownership from opportunistic squatting.

Second, transitive and copy-paste risk. A huge share of typosquat installs don't come from a developer directly mistyping a command — they come from stale tutorials, outdated Stack Overflow answers, AI-generated code snippets that hallucinate plausible-but-wrong package names, and internal documentation that was never updated after a dependency was renamed or deprecated. Attackers increasingly register names that match predicted hallucinated packages, effectively pre-positioning squats for AI coding assistants to recommend.

Third, CI/CD blind spots. Most organizations have some form of pre-commit or IDE-level linting, but far fewer have equivalent scrutiny over what gets pulled into ephemeral build containers. A typosquat that slips into a requirements.txt or a transient pip install inside a pipeline step can execute with the pipeline's credentials — often far more privileged than any individual developer's laptop — and then vanish when the container is torn down, leaving minimal forensic trail.

The Business Impact

The direct cost of a single successful typosquat compromise ranges from "wasted incident response hours" to "full cloud account takeover," depending on what the install-time payload finds. Safeguard has observed downstream effects including exposed CI/CD secrets used to push malicious commits to internal repos, exfiltrated cloud provider credentials leading to unauthorized resource provisioning (commonly cryptomining), and stolen package-registry tokens later used to poison the organization's own published packages — turning a single victim into a distribution vector for further attacks against their customers.

Equally costly is the detection and audit burden. Once a typosquat is discovered in the wild, security teams typically have to answer: was this ever installed in our environment? On which machines, at which commit, in which pipeline run? Without a reliable software bill of materials (SBOM) and dependency provenance history, that question can take days to answer with confidence — time during which the organization can't rule out compromise.

What Effective Defense Looks Like

Based on the patterns above, a defensible posture against PyPI typosquatting needs to operate at three points in the lifecycle, not just one:

  1. Pre-merge, catching suspicious or newly-published, low-reputation packages before they land in a lockfile.
  2. Pre-build, verifying that what's about to be installed in CI matches an expected, previously-vetted dependency graph.
  3. Post-incident, being able to instantly query "did we ever pull this package, and where did it run" across the full fleet — which is only possible with continuously maintained SBOM inventory.

Name-similarity scanning alone (looking for near-matches to popular package names) catches the obvious cases but produces both false positives (legitimate forks, scoped variants) and false negatives (attackers who don't rely on simple edit-distance tricks). The more durable signal is behavioral and contextual: does this package's install-time code do anything unusual, is the publishing account new or previously flagged, and — critically — is this dependency even reachable from code your application actually executes.

How Safeguard Helps

Safeguard addresses PyPI typosquatting across exactly these three lifecycle points. Our reachability analysis determines whether a flagged or newly-published package is actually invoked by your application's code paths, letting teams triage the flood of low-reputation PyPI uploads by real exploitability rather than name-similarity alone. Griffin AI, Safeguard's detection engine, is tuned specifically on install-time behavior patterns — CI environment fingerprinting, credential-file access, obfuscated network calls — so it can flag quiet, second-stage-loading typosquats that pattern-matching on package names would miss entirely. Continuous SBOM generation and ingest give teams an always-current, queryable inventory of every Python package installed across development and CI environments, turning "did we ever pull that malicious package" from a multi-day forensic exercise into a single search. And when a typosquat or vulnerable transitive dependency is confirmed, Safeguard's auto-fix PRs open the corrective change directly against the affected repository — pinning the correct package name or bumping to a patched version — so remediation doesn't stall behind a backlog of manual dependency-file edits.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.