PyPI
Python Package Index; a 1.1-million-download package distributed infostealer malware in April 2026.
Last refreshed: 30 April 2026 · Appears in 1 active topic
If a 1.1-million-download PyPI package can push infostealer malware, is the trust model fit for enterprise use?
Timeline for PyPI
Mentioned in: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing
Cybersecurity: Threats and DefencesThree supply-chain hits in thirteen days
Cybersecurity: Threats and Defences- Which PyPI package was found distributing infostealer malware in April 2026?
- The specific package had 1.1 million monthly downloads but had not been publicly named in initial reporting. The Python Software Foundation is the appropriate source for the confirmed package name once their investigation concludes.Source: Bleeping Computer
- How can I tell if my Python project depends on a malicious PyPI package?
- Run a software composition analysis (SCA) tool against your requirements.txt and Pipfile.lock. Monitor PyPI's advisory database and PSF security announcements. Pin package versions and hashes in requirements files to prevent unexpected malicious updates from being pulled.
- Is PyPI safe to use after the April 2026 infostealer incident?
- PyPI remains the primary Python package distribution channel. The incident affects one package; the PSF removes malicious packages when identified. Enterprises should implement lockfile pinning, hash verification, and internal package mirrors for critical dependencies.
- What security controls does PyPI have against malicious package uploads?
- PyPI requires mandatory 2FA for the top 1% of packages by download count (enforced since 2023) and supports Sigstore cryptographic signing (introduced 2022). The April 2026 incident reached a 1.1-million-download package, suggesting these controls did not prevent the compromise.
Background
PyPI — the Python Package Index — is the primary public repository for Python software packages, hosting over 500,000 projects and serving billions of package downloads per month. Operated by the Python Software Foundation (PSF), a non-profit funded by corporate sponsorship, it is the de facto distribution channel for the Python ecosystem: any developer running `pip install` on a public package draws from PyPI. The PSF has progressively tightened security requirements: mandatory two-factor authentication for the top 1% of packages by download count was required from 2023, and Sigstore-based cryptographic signing for package releases was introduced in 2022.
In late April 2026, a PyPI package with 1.1 million monthly downloads was found distributing infostealer malware — the third supply-chain attack against developer infrastructure in a thirteen-day window alongside GlassWorm (OpenVSX) and TeamPCP (SAP npm).
PyPI has faced recurrent supply-chain attacks since at least 2021, including typosquat packages, dependency-confusion attacks, and compromised maintainer accounts. The April 2026 incident involved a legitimate, high-traffic package in the top tier by usage volume, suggesting either a maintainer account compromise or a malicious update pushed under an existing trusted identity. This attack class is more dangerous than typosquats because security tooling that screens package names does not catch updates to packages already on the allow-list.
Whether the April 2026 incident involved a 2FA bypass, a signing-key compromise, or an unprotected account has not been publicly confirmed. Enterprises are advised to implement lockfile pinning with hash verification and internal package mirrors for critical dependencies.