
PyPI
Python Package Index; a 1.1-million-download package distributed infostealer malware in April 2026.
Last refreshed: 30 April 2026 · Appears in 1 active topic
If a 1.1-million-download PyPI package can push infostealer malware, is the trust model fit for enterprise use?
Timeline for PyPI
Mentioned in: Attack worm kit now open-sourced freely
Cybersecurity: Threats and DefencesMentioned in: GitHub's own code cloned via add-on
Cybersecurity: Threats and DefencesMentioned in: GTIG names the first LLM-written working zero-day
Cybersecurity: Threats and DefencesMentioned in: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing
Cybersecurity: Threats and DefencesThree supply-chain hits in thirteen days
Cybersecurity: Threats and DefencesWhich PyPI package was found distributing infostealer malware in April 2026?
How can I tell if my Python project depends on a malicious PyPI package?
Is PyPI safe to use after the April 2026 infostealer incident?
Background
PyPI — the Python Package Index — is the primary public repository for Python software packages, hosting over 500,000 projects and serving billions of package downloads per month. Operated by the Python Software Foundation (PSF), a non-profit funded by corporate sponsorship, it is the de facto distribution channel for the Python ecosystem: any developer running `pip install` on a public package draws from PyPI. The PSF has progressively tightened security requirements: mandatory two-factor authentication for the top 1% of packages by download count was required from 2023, and Sigstore-based cryptographic signing for package releases was introduced in 2022.
In late April 2026, a PyPI package with 1.1 million monthly downloads was found distributing infostealer malware — the third supply-chain attack against developer infrastructure in a thirteen-day window alongside GlassWorm (OpenVSX) and TeamPCP (SAP npm).
PyPI has faced recurrent supply-chain attacks since at least 2021, including typosquat packages, dependency-confusion attacks, and compromised maintainer accounts. The April 2026 incident involved a legitimate, high-traffic package in the top tier by usage volume, suggesting either a maintainer account compromise or a malicious update pushed under an existing trusted identity. This attack class is more dangerous than typosquats because security tooling that screens package names does not catch updates to packages already on the allow-list.
Whether the April 2026 incident involved a 2FA bypass, a signing-key compromise, or an unprotected account has not been publicly confirmed. Enterprises are advised to implement lockfile pinning with hash verification and internal package mirrors for critical dependencies.