pipcanary 0.0.3__tar.gz

pipcanary-0.0.3/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Sebastian Kuebeck
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

pipcanary-0.0.3/MANIFEST.in

@@ -0,0 +1 @@
+include src/pipcanary/sbpip_scan.sh

pipcanary-0.0.3/PKG-INFO

@@ -0,0 +1,105 @@
+Metadata-Version: 2.4
+Name: pipcanary
+Version: 0.0.3
+Summary: Supply Chain Attack prevention tool
+Author-email: Sebastian Kuebeck <sebastian.kuebeck@encab.io>
+Project-URL: Homepage, https://github.com/sebastian-kuebeck/pipcanary
+Project-URL: Documentation, https://github.com/sebastian-kuebeck/pipcanary
+Project-URL: Bug Tracker, https://github.com/sebastian-kuebeck/pipcanary
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Programming Language :: Python :: 3.15
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: POSIX :: Linux
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: virtualenv~=21.2.0
+Dynamic: license-file
+
+# PipCanary
+
+## Features
+
+- Detects Supply Chain Attacks in Python packages
+
+- Makes sure that new package releases are only installed after a cool down period, so secuity scanners have time to detect vulnerabilities
+
+## Maturity
+
+The project is in early stages. However, it's safer to use this than pip, poetry or uv alone.
+
+## Requirements
+
+- Linux 
+
+- [Python](https://www.python.org/) 3.10 or higher
+
+- [bubblewrap](https://github.com/containers/bubblewrap)
+
+- [strace](https://strace.io)
+
+- [pip](https://pip.pypa.io/en/stable/getting-started/)
+
+## Installation
+
+```bash
+    pip install pipcanary
+```
+
+## Execution
+
+Check your requirements for potential Supply Chain Attacks
+
+```bash
+    pipcanary -r requirements.txt
+```
+
+Sample output when all is fine...
+
+```text
+    ...
+    All packages appear to be safe!    
+```
+
+Sample output if a potential attack is detected...
+
+```text
+    ...
+    Found suspicious access to /root/.ssh in package evilpack
+
+    This could be dangerous!!!
+    Don't install this package under any circumstances until you know for sure that this is a false positive!
+    In doubt, contact the package maintainers!
+```
+
+Sample output when packages were updated during the cooling of phase of one week...
+
+```text
+    ...
+    Package click 8.3.2 was updated too recently: 2026-04-03T19:14:45. 
+    It might be safer to use an older version.
+    Consider click<=8.3.1 or earlier and check for potential known vulnerabilities of this version.
+    If you are certain that the latest upload is safe, add the following argument...
+    --allow-upload-time='click<=2026-04-03T19:14:45'
+
+    Package Werkzeug 3.1.8 was updated too recently: 2026-04-02T18:49:14. 
+    It might be safer to use an older version.
+    Consider Werkzeug<=3.1.7 or earlier and check for potential known vulnerabilities of this version.
+    If you are certain that the latest upload is safe, add the following argument...
+    --allow-upload-time='Werkzeug<=2026-04-02T18:49:14'
+
+    The following packages were uploaded too recently: click, Werkzeug
+```
+
+## Similar Projects
+
+- [pip-audit](https://github.com/pypa/pip-audit)
+
+## Further Information on PyPi Suppy Chaion Attacks
+
+- [How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM](https://snyk.io/de/articles/poisoned-security-scanner-backdooring-litellm/)
+- [The Team PCP Snowball Effect: A Quantitative Analysis](https://blog.gitguardian.com/team-pcp-snowball-analysis/)

pipcanary-0.0.3/README.md

@@ -0,0 +1,83 @@
+# PipCanary
+
+## Features
+
+- Detects Supply Chain Attacks in Python packages
+
+- Makes sure that new package releases are only installed after a cool down period, so secuity scanners have time to detect vulnerabilities
+
+## Maturity
+
+The project is in early stages. However, it's safer to use this than pip, poetry or uv alone.
+
+## Requirements
+
+- Linux 
+
+- [Python](https://www.python.org/) 3.10 or higher
+
+- [bubblewrap](https://github.com/containers/bubblewrap)
+
+- [strace](https://strace.io)
+
+- [pip](https://pip.pypa.io/en/stable/getting-started/)
+
+## Installation
+
+```bash
+    pip install pipcanary
+```
+
+## Execution
+
+Check your requirements for potential Supply Chain Attacks
+
+```bash
+    pipcanary -r requirements.txt
+```
+
+Sample output when all is fine...
+
+```text
+    ...
+    All packages appear to be safe!    
+```
+
+Sample output if a potential attack is detected...
+
+```text
+    ...
+    Found suspicious access to /root/.ssh in package evilpack
+
+    This could be dangerous!!!
+    Don't install this package under any circumstances until you know for sure that this is a false positive!
+    In doubt, contact the package maintainers!
+```
+
+Sample output when packages were updated during the cooling of phase of one week...
+
+```text
+    ...
+    Package click 8.3.2 was updated too recently: 2026-04-03T19:14:45. 
+    It might be safer to use an older version.
+    Consider click<=8.3.1 or earlier and check for potential known vulnerabilities of this version.
+    If you are certain that the latest upload is safe, add the following argument...
+    --allow-upload-time='click<=2026-04-03T19:14:45'
+
+    Package Werkzeug 3.1.8 was updated too recently: 2026-04-02T18:49:14. 
+    It might be safer to use an older version.
+    Consider Werkzeug<=3.1.7 or earlier and check for potential known vulnerabilities of this version.
+    If you are certain that the latest upload is safe, add the following argument...
+    --allow-upload-time='Werkzeug<=2026-04-02T18:49:14'
+
+    The following packages were uploaded too recently: click, Werkzeug
+```
+
+## Similar Projects
+
+- [pip-audit](https://github.com/pypa/pip-audit)
+
+## Further Information on PyPi Suppy Chaion Attacks
+
+- [How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM](https://snyk.io/de/articles/poisoned-security-scanner-backdooring-litellm/)
+- [The Team PCP Snowball Effect: A Quantitative Analysis](https://blog.gitguardian.com/team-pcp-snowball-analysis/)

pipcanary-0.0.3/pyproject.toml

@@ -0,0 +1,40 @@
+[build-system]
+requires = ["setuptools>=63.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "pipcanary"
+version = "0.0.3"
+authors = [
+  { name="Sebastian Kuebeck", email="sebastian.kuebeck@encab.io" },
+]
+license-files = ['LICENSE']
+description = "Supply Chain Attack prevention tool"
+readme = "README.md"
+requires-python = ">=3.10"
+classifiers = [
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Programming Language :: Python :: 3.15",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: POSIX :: Linux",
+]
+
+dependencies = ["virtualenv~=21.2.0"]
+
+[project.urls]
+"Homepage" = "https://github.com/sebastian-kuebeck/pipcanary"
+"Documentation" = "https://github.com/sebastian-kuebeck/pipcanary"
+"Bug Tracker" = "https://github.com/sebastian-kuebeck/pipcanary"
+
+[project.scripts]
+pipcanary = "pipcanary.pipcanary:pipcanary"
+
+[tool.setuptools.package-data]
+pipcanary = ["src/pipcanary/sbpip_scan.sh"]
+
+[tool.ruff]
+line-length = 120

pipcanary-0.0.3/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

pipcanary-0.0.3/src/pipcanary/__main__.py

@@ -0,0 +1,4 @@
+from .pipcanary import pipcanary
+
+if __name__ == "__main__":
+    pipcanary()

pipcanary-0.0.3/src/pipcanary/module_loader.py

@@ -0,0 +1,22 @@
+import sys
+import pkgutil
+
+from distutils.sysconfig import get_python_lib
+
+
+def load_modules(dirname):
+    for importer, package_name, _ in pkgutil.iter_modules([dirname]):
+        if package_name not in sys.modules:
+            try:
+                print("Loading package: %s..." % package_name)
+                print("Package: %s" % package_name, file=sys.stderr)
+                importer.find_module(package_name).load_module(  # type: ignore
+                    package_name
+                )
+                del sys.modules[package_name]
+            except ImportError:
+                pass
+
+
+if __name__ == "__main__":
+    load_modules(get_python_lib())

pipcanary-0.0.3/src/pipcanary/packages.py

@@ -0,0 +1,231 @@
+import json
+
+from typing import Dict, Any, Optional, List, Union
+from urllib.request import urlopen
+from urllib.error import URLError, HTTPError
+from datetime import datetime, timedelta
+from abc import ABC, abstractmethod
+
+
+class Upload:
+    def __init__(self, version: str, upload_time: datetime) -> None:
+        self.version = version
+        self.upload_time = upload_time
+
+    @staticmethod
+    def from_json(version: str, data: Dict[str, Any]) -> "Upload":
+        upload_time = data["upload_time"]
+        return Upload(version, datetime.fromisoformat(upload_time))
+
+
+class Release:
+    def __init__(self, version: str, uploads: List[Upload]) -> None:
+        self.version = version
+        self.uploads = uploads
+
+    @property
+    def latest_upload_date(self) -> Optional[datetime]:
+        if self.uploads:
+            return max([u.upload_time for u in self.uploads])
+        else:
+            return None
+
+    @staticmethod
+    def from_json(version: str, data: List[Dict[str, Any]]) -> "Release":
+        uploads: List[Upload] = []
+        for upload_data in data:
+            uploads.append(Upload.from_json(version, upload_data))
+        return Release(version, uploads)
+
+
+class PackageInfo:
+    def __init__(
+        self, latest_version: Optional[str], releases: Dict[str, Release]
+    ) -> None:
+        self.latest_version = latest_version
+        self.releases = releases
+
+    @staticmethod
+    def from_json(data: Dict[str, Any]) -> "PackageInfo":
+        releases: Dict[str, Release] = {}
+        for version, release_list in data.get("releases", {}).items():
+            releases[version] = Release.from_json(version, release_list)
+
+        latest_version = data["info"]["version"]
+
+        if latest_version:
+            return PackageInfo(latest_version, releases)
+        else:
+            return PackageInfo(None, {})
+
+    def latest_upload_date(self, version: str) -> Optional[datetime]:
+        if self.latest_version and self.releases:
+            release = self.releases.get(version)
+            if release:
+                return release.latest_upload_date
+
+    @property
+    def uploads(self) -> List[Upload]:
+        uploads = []
+        for _, release in self.releases.items():
+            uploads.extend(release.uploads)
+        return uploads
+
+
+class PackageSource(ABC):
+    @abstractmethod
+    def download_package_info(self, package_name: str) -> Optional[PackageInfo]:
+        pass
+
+
+class PackageDownloadError(Exception):
+    def __init__(self, package_name: str, msg: str, parent: Exception) -> None:
+        super().__init__(msg)
+        self.package_name = package_name
+        self.parent = parent
+
+
+class PypiPackageSource(PackageSource):
+    def download_package_info(self, package_name: str) -> Optional[PackageInfo]:
+        try:
+            response = urlopen(f"https://pypi.org/pypi/{package_name}/json")
+            package_info_data = json.load(response)
+            return PackageInfo.from_json(package_info_data)
+        except HTTPError as e:
+            if e.code == 404:
+                return None
+            else:
+                raise PackageDownloadError(package_name, str(e), e)
+        except URLError as e:
+            raise PackageDownloadError(package_name, str(e), e)
+
+
+class PackageAgumentError(Exception):
+    pass
+
+
+class Package:
+    def __init__(self, name: str, version: str, source: PackageSource) -> None:
+        self.name = name
+        self.version = version
+        self.source = source
+        self._info_available = False
+        self._info: Optional[PackageInfo] = None
+
+    @staticmethod
+    def from_json(record: Dict[str, str], source: PackageSource) -> "Package":
+        return Package(record["name"], record["version"], source)
+
+    @property
+    def info(self) -> Optional[PackageInfo]:
+        if not self._info_available:
+            self._info = self.source.download_package_info(self.name)
+            self._info_available = True
+
+        return self._info
+
+    @property
+    def latest_upload_date(self) -> Optional[datetime]:
+        if self.info:
+            return self.info.latest_upload_date(self.version)
+
+    def latest_possible_upload(self, latest_upload_time: datetime) -> Optional[Upload]:
+        if self.info:
+            uploads = sorted(
+                self.info.uploads, key=lambda u: u.upload_time, reverse=True
+            )
+            for upload in uploads:
+                if upload.upload_time <= latest_upload_time:
+                    return upload
+
+    def __str__(self) -> str:
+        return f"{self.name} {self.version}"
+
+
+class PackageCheckObserver(ABC):
+    @abstractmethod
+    def package_not_found(self, package: Package):
+        pass
+
+    @abstractmethod
+    def package_too_recently(
+        self, package: Package, upload_time: datetime, latest_upload_time: datetime
+    ):
+        pass
+
+
+class PackageSelection:
+    COOL_DOWN_PHASE_DAYS = 7
+
+    def __init__(
+        self,
+        max_upload_time: Optional[str] = None,
+        cool_down_phase_days: Optional[int] = None,
+        allowed_upload_times: Optional[Union[List[str], str]] = None,
+        current_time: Optional[datetime] = None,
+    ) -> None:
+        self.current_time: datetime = current_time or datetime.now()
+        self.cool_down_phase_days = cool_down_phase_days or self.COOL_DOWN_PHASE_DAYS
+        try:
+            self._max_upload_time: Optional[datetime] = (
+                datetime.fromisoformat(max_upload_time) if max_upload_time else None
+            )
+        except ValueError:
+            raise PackageAgumentError(
+                "Malformed datetime passed with argument max_upload_time"
+            )
+
+        self._max_upload_time_for: Dict[str, datetime] = {}
+
+        if isinstance(allowed_upload_times, str):
+            allowed_upload_times = [allowed_upload_times]
+
+        rules = allowed_upload_times or []
+        for rule in rules:
+            try:
+                package, max_upload_time = rule.split("<=")
+                self._max_upload_time_for[package] = datetime.fromisoformat(
+                    max_upload_time
+                )
+            except ValueError:
+                raise PackageAgumentError(
+                    "Malformed argument max_upload_time. Expected <package_name><=<max upload time>"
+                )
+
+    def max_upload_time(self, package: str) -> datetime:
+        return self._max_upload_time_for.get(package, self._max_upload_time) or (
+            self.current_time - timedelta(days=self.cool_down_phase_days)
+        )
+
+
+class Packages:
+    def __init__(self, source: PackageSource, observer: PackageCheckObserver) -> None:
+        self.source = source
+        self.packages: List[Package] = []
+        self.observer: PackageCheckObserver = observer
+
+    def load(self, package_list: List[Dict[str, str]]) -> List[Package]:
+        for package_data in package_list:
+            package = Package(
+                package_data["name"], package_data["version"], self.source
+            )
+            self.packages.append(package)
+        return self.packages
+
+    def check_uploads(self, selection: PackageSelection) -> List[Package]:
+        recent_packages: List[Package] = []
+        for package in self.packages:
+            upload_time = package.latest_upload_date
+
+            if not upload_time:
+                self.observer.package_not_found(package)
+                continue
+
+            if upload_time > (
+                latest_upload_time := selection.max_upload_time(package.name)
+            ):
+                self.observer.package_too_recently(
+                    package, upload_time, latest_upload_time
+                )
+                recent_packages.append(package)
+        return recent_packages

pipcanary-0.0.3/src/pipcanary/pipcanary.py

@@ -0,0 +1,274 @@
+import sys
+import os
+import subprocess
+import signal
+import tempfile
+import json
+import shutil
+import time
+
+from subprocess import CalledProcessError
+from typing import List, Dict, Any, Optional
+from argparse import ArgumentParser
+from datetime import datetime
+
+from .strace_scanner import (
+    StraceScanner,
+    StraceCredentialsExfiltrationRuleSet,
+    ScannerObserver,
+)
+
+from .packages import (
+    Packages,
+    PypiPackageSource,
+    PackageCheckObserver,
+    Package,
+    PackageDownloadError,
+    PackageSelection,
+    PackageAgumentError,
+)
+
+
+class InvalidArgumentError(Exception):
+    pass
+
+
+class ScanFailedError(Exception):
+    def __init__(self, rc: int, message: str) -> None:
+        super().__init__(message)
+        self.rc = rc
+
+
+class UploadVerificationFailedError(Exception):
+    pass
+
+
+class SuspiciousAccessDetected(Exception):
+    pass
+
+
+class AlertingScannerObserver(ScannerObserver):
+
+    def resource_identified(self, resource: str):
+        print("Scanning package install: %s..." % resource)
+
+    def match_detected(self, resource: str, pattern: str):
+        raise SuspiciousAccessDetected(
+            "Found suspicious access to %s in package %s" % (pattern, resource),
+        )
+
+
+class PrintingPackageCheckObserver(PackageCheckObserver):
+
+    def package_not_found(self, package: Package):
+        print(f"Package {package.name} not found on pypi")
+
+    def package_too_recently(
+        self, package: Package, upload_time: datetime, latest_upload_time: datetime
+    ):
+        print(
+            f"""Package {package.name} {package.version} was updated too recently: {upload_time.isoformat()}. 
+It might be safer to use an older version."""
+        )
+        upload = package.latest_possible_upload(latest_upload_time)
+        if upload:
+            print(
+                f"""Consider {package.name}<={upload.version} or earlier and check for potential known vulnerabilities of this version.
+If you are certain that the latest upload is safe, add the following argument...
+--allow-upload-time='{package.name}<={upload_time.isoformat()}'
+"""
+            )
+        else:
+            print("No suitable version uploaded yet.")
+
+
+INSTALL_SCRIPT = os.path.join(os.path.dirname(__file__), "sbpip_scan.sh")
+# INSTALL_SCRIPT = os.path.join(os.path.dirname(__file__), 'sbpip_test.sh')
+
+parser = ArgumentParser(
+    prog="PipCanary", description="Detects supply chain attacks in python dependencies"
+)
+
+parser.add_argument("-r", "--requirement")
+parser.add_argument(
+    "--max-upload-time",
+    help=(
+        "Maximum upload time for all packages (ISO 8601 date and time format). "
+        "Example: --max-upload-time='2026-04-07T07:43:51+0000'"
+    ),
+)
+parser.add_argument(
+    "-c",
+    "--cool-down-phase-days",
+    help=("Cool down phase for packages in days for new package uploads. Default: 7"),
+)
+parser.add_argument(
+    "-a",
+    "--allow-upload-time",
+    action="append",
+    help=(
+        "Maximum upload time for a single package (ISO 8601 date and time format). "
+        "Example: --allow-upload-time='requests<=2026-04-07T07:43:51+0000"
+    ),
+)
+
+parser.add_argument(
+    "-d",
+    "--additional-directory",
+    help=(
+        "Additional directory mapped into the sandbox while scanning"
+        "Make sure this directory does not contain sensitive information!"
+    ),
+)
+
+parser.add_argument(
+    "-t",
+    "--trace-file",
+    help=("The trace file for further analysis"),
+)
+
+
+def scan_packages(
+    requirement_file: str,
+    additional_directory: Optional[str],
+    trace_file: Optional[str],
+) -> List[Dict[str, Any]]:
+    home_directory = os.environ["HOME"]
+
+    env = {
+        "REQUIREMENTS_FILE": requirement_file,
+        **dict(os.environ),
+    }
+
+    if additional_directory:
+        env["PIPCANARY_ADDITIONAL_DIRECTORY"] = os.path.abspath(additional_directory)
+
+    command = ["sh", INSTALL_SCRIPT]
+
+    venv_directory = tempfile.mkdtemp(suffix="-pipcanary")
+    process = None
+
+    try:
+        env["PIPCANARY_VIRTUAL_ENV"] = venv_directory
+
+        observer = AlertingScannerObserver()
+        scanner = StraceScanner(
+            StraceCredentialsExfiltrationRuleSet(home_directory, venv_directory),
+            observer,
+            trace_file,
+        )
+
+        process = subprocess.Popen(command, stderr=subprocess.PIPE, text=True, env=env)
+
+        assert process.stderr
+
+        scanner.scan(process.stderr)
+
+        process.wait()
+
+        if process.returncode != 0:
+            raise ScanFailedError(
+                process.returncode, "Scan failed with rc %d" % process.returncode
+            )
+        with open(os.path.join(venv_directory, "packages.json"), "r") as f:
+            return json.load(f)
+    except SuspiciousAccessDetected as e:
+        if process:
+            os.kill(process.pid, signal.SIGKILL)
+        raise e
+    finally:
+        for i in range(3):
+            try:
+                shutil.rmtree(venv_directory)
+            except OSError:
+                time.sleep(i)
+
+
+def check_package_uploads(
+    package_list: List[Dict[str, Any]], selection: PackageSelection
+):
+    print("Checking the most recent package uploads...\n")
+    packages = Packages(PypiPackageSource(), PrintingPackageCheckObserver())
+    packages.load(package_list)
+    recent_packages = packages.check_uploads(selection)
+
+    if recent_packages:
+        raise UploadVerificationFailedError(
+            "The following packages were uploaded too recently: %s"
+            % (", ".join([p.name for p in recent_packages]))
+        )
+
+
+def check_command(command: str, test_command: List[str]):
+    try:
+        subprocess.check_call(test_command)
+    except CalledProcessError:
+        print("Required command %s not found!" % command)
+        exit(-1)
+
+
+def check_package(package: str, test_command: List[str]):
+    try:
+        subprocess.check_call(test_command)
+    except CalledProcessError:
+        print("Required python package %s not found!" % package)
+        exit(-1)
+
+
+def pipcanary():
+    args = parser.parse_args()
+    check_package("venv", ["sh", "-c", "python3 -m venv --help 1>/dev/null"])
+    check_command("strace", ["sh", "-c", "strace -V 1>/dev/null"])
+    check_command("bwrap", ["sh", "-c", "bwrap --version 1>/dev/null"])
+
+    try:
+        requirement_file = args.requirement
+        trace_file = args.trace_file
+        selection = PackageSelection(
+            args.max_upload_time, args.cool_down_phase_days, args.allow_upload_time
+        )
+        additional_directory = args.additional_directory
+
+        if not requirement_file:
+            requirement_file = os.path.join(os.path.curdir, "requirements.txt")
+
+        if not os.path.exists(requirement_file):
+            raise InvalidArgumentError(
+                "Requirements file %s does not exist" % requirement_file
+            )
+
+        packages = scan_packages(requirement_file, additional_directory, trace_file)
+        check_package_uploads(packages, selection)
+        print("All packages appear to be safe!")
+    except (InvalidArgumentError, PackageAgumentError) as e:
+        print(str(e), file=sys.stderr)
+        exit(1)
+    except ScanFailedError as e:
+        print(str(e), file=sys.stderr)
+        exit(2)
+    except PackageDownloadError as e:
+        print(
+            "Failed to download package information for %s: %s"
+            % (e.package_name, str(e)),
+            file=sys.stderr,
+        )
+        exit(3)
+    except UploadVerificationFailedError as e:
+        print(str(e), file=sys.stderr)
+        exit(4)
+    except SuspiciousAccessDetected as e:
+        msg = f"""
+{str(e)}.
+This could be dangerous!!!
+Don't install this package under any circumstances until you know for sure that this is a false positive!
+In doubt, contact the package maintainers!
+"""
+        print(msg, file=sys.stderr)
+        exit(5)
+
+    except KeyboardInterrupt:
+        print("PipCanary was interrupted.")
+
+
+if __name__ == "__main__":
+    pipcanary()

pipcanary-0.0.3/src/pipcanary/sbpip_scan.sh

@@ -0,0 +1,84 @@
+#!/bin/sh
+set -e
+
+REQUIREMENTS_FILE=${REQUIREMENTS_FILE:-requirements.txt}
+PYTHON3=`which python`
+
+PYTHON_BIN="$(dirname $PYTHON3)"
+PYTHON_DIR="$(dirname $PYTHON_BIN)"
+
+echo "Unsing python directory $PYTHON_DIR..."
+
+VIRTUAL_ENV=${PIPCANARY_VIRTUAL_ENV:-`mktemp -d --suffix=-pipcanary`}
+
+ADDITIONAL_DIRECTORY=${PIPCANARY_ADDITIONAL_DIRECTORY:-/usr}
+
+echo "Creating virtual environment in $VIRTUAL_ENV..."
+
+mkdir -p $VIRTUAL_ENV
+rm -rf $VIRTUAL_ENV/* 
+$PYTHON3 -m venv $VIRTUAL_ENV
+
+echo "Installing $REQUIREMENTS_FILE..."
+cp -v $REQUIREMENTS_FILE $VIRTUAL_ENV/requirements.txt
+
+MODULE_LOADER_SOURCE=$(dirname "$0")/module_loader.py
+MODULE_LOADER=$VIRTUAL_ENV/module_loader.py
+
+SITE_PACKAGES=lib/python3.10/site-packages/
+
+cp -v $MODULE_LOADER_SOURCE $MODULE_LOADER
+
+# Wait for scanner
+sleep 0.5
+
+# Installing packages with network
+strace -f -e trace=file \
+bwrap \
+  --unshare-user \
+  --share-net \
+  --die-with-parent \
+  --uid 0 --gid 0 \
+  --new-session \
+  --ro-bind $PYTHON_DIR $PYTHON_DIR \
+  --bind $VIRTUAL_ENV $VIRTUAL_ENV \
+  --proc /proc \
+  --dev /dev \
+  --ro-bind /usr /usr \
+  --ro-bind /lib /lib \
+  --ro-bind /lib64 /lib64 \
+  --ro-bind /etc/ssl/certs/ /etc/ssl/certs/ \
+  --ro-bind /etc/resolv.conf /etc/resolv.conf \
+  --ro-bind $ADDITIONAL_DIRECTORY $ADDITIONAL_DIRECTORY \
+  --clearenv \
+  --setenv HOME "/root" \
+  --setenv PATH "$VIRTUAL_ENV/bin:/usr/bin" \
+  --chdir $VIRTUAL_ENV \
+  pip install --no-cache -r requirements.txt
+
+# Loading modules without network and further file access restrictions
+strace -f -e trace=file \
+bwrap \
+  --unshare-user \
+  --die-with-parent \
+  --uid 0 --gid 0 \
+  --new-session \
+  --ro-bind $PYTHON_DIR $PYTHON_DIR \
+  --bind $VIRTUAL_ENV $VIRTUAL_ENV \
+  --proc /proc \
+  --dev /dev \
+  --ro-bind /usr /usr \
+  --ro-bind /lib /lib \
+  --ro-bind /lib64 /lib64 \
+  --clearenv \
+  --setenv HOME "/root" \
+  --setenv PATH "$VIRTUAL_ENV/bin:/usr/bin" \
+  --chdir $VIRTUAL_ENV \
+  sh -c "python $MODULE_LOADER; pip list --format=json > packages.json"
+
+if [ -z "${PIPCANARY_VIRTUAL_ENV+x}" ]; then
+  echo "Removing $VIRTUAL_ENV..."
+  rm -r $VIRTUAL_ENV
+fi
+
+echo "Done."

pipcanary-0.0.3/src/pipcanary/strace_scanner.py

@@ -0,0 +1,125 @@
+import sys
+import re
+import io
+
+from typing import Iterator, Optional, List
+from abc import ABC, abstractmethod
+from re import Pattern
+
+
+class RuleSet(ABC):
+    @abstractmethod
+    def identify_resource(self, line: str) -> Optional[str]:
+        pass
+
+    @abstractmethod
+    def match(self, line: str) -> Optional[str]:
+        pass
+
+    @abstractmethod
+    def warnings_or_errors(self, line: str) -> Optional[str]:
+        pass
+
+
+class StraceCredentialsExfiltrationRuleSet(RuleSet):
+
+    @staticmethod
+    def compile_package_rule(venv_directory: str) -> Pattern:
+        return re.compile(
+            r"^\[pid [0-9]+\] mkdir\(\"%s/lib/python.*/site-packages/([a-zA-Z][a-zA-Z0-9_-]+)\", 0777\) = 0"
+            % re.escape(venv_directory)
+        )
+
+    @staticmethod
+    def path_access(path: str) -> Pattern:
+        return re.compile(
+            r"^\[pid [0-9]+\] (statx|openat|access)\(AT_FDCWD, \"(%s).*$" % path
+        )
+
+    @classmethod
+    def compile_rules(cls, home_directory: str) -> List[Pattern]:
+        home_directories = ["/root", home_directory]
+        relative_pathes = [
+            "/.ssh",
+            "/.ssh/id_rsa",
+            "/.ssh/id_ed25519",
+            "/.ssh/id_ecdsa",
+            "/.ssh/id_dsa",
+            "/.ssh/authorized_keys",
+            "/.ssh/known_hosts",
+            "/.ssh/config",
+            "/.git-credentials",
+            "/.gitconfig",
+            "/.aws",
+            "/.aws/credentials",
+            "/.aws/config",
+        ]
+
+        rules = []
+        for directory in home_directories:
+            for relative_path in relative_pathes:
+                rules.append(cls.path_access(directory + relative_path))
+
+        return rules
+
+    def __init__(self, home_directory: str, venv_directory: str) -> None:
+        self.package_rule = self.compile_package_rule(venv_directory)
+        self.rules = self.compile_rules(home_directory)
+
+    def identify_resource(self, line: str) -> Optional[str]:
+        if line.startswith("Package: "):
+            return line[9:]
+
+        if match := self.package_rule.match(line):
+            return match.groups()[0]
+
+    def match(self, line: str) -> Optional[str]:
+        for rule in self.rules:
+            if match := rule.match(line):
+                return match.groups()[1]
+
+    def warnings_or_errors(self, line: str) -> Optional[str]:
+        if line.startswith("WARNING: ") or line.startswith("ERROR: "):
+            return line
+
+
+class ScannerObserver(ABC):
+    @abstractmethod
+    def resource_identified(self, resource: str):
+        pass
+
+    @abstractmethod
+    def match_detected(self, resource: str, pattern: str):
+        pass
+
+
+class StraceScanner:
+    def __init__(
+        self, rule_set: RuleSet, observer: ScannerObserver, trace_file: Optional[str]
+    ) -> None:
+        self.rule_set = rule_set
+        self.observer = observer
+        self.trace_file = trace_file
+        self.resource = ""
+
+    def _scan_lines(self, lines: Iterator, fp: Optional[io.TextIOBase] = None):
+        for line in lines:
+            if fp:
+                fp.write(line)
+
+            if msg := self.rule_set.warnings_or_errors(line):
+                print(msg, file=sys.stderr)
+
+            if resource := self.rule_set.identify_resource(line):
+                self.resource = resource
+                continue
+
+            if match := self.rule_set.match(line):
+                self.observer.match_detected(self.resource, match)
+
+    def scan(self, lines: Iterator):
+        if self.trace_file:
+            with open(self.trace_file, "w") as fp:
+                self._scan_lines(lines, fp)
+        else:
+            self._scan_lines(lines)

pipcanary-0.0.3/src/pipcanary.egg-info/PKG-INFO

@@ -0,0 +1,105 @@
+Metadata-Version: 2.4
+Name: pipcanary
+Version: 0.0.3
+Summary: Supply Chain Attack prevention tool
+Author-email: Sebastian Kuebeck <sebastian.kuebeck@encab.io>
+Project-URL: Homepage, https://github.com/sebastian-kuebeck/pipcanary
+Project-URL: Documentation, https://github.com/sebastian-kuebeck/pipcanary
+Project-URL: Bug Tracker, https://github.com/sebastian-kuebeck/pipcanary
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Programming Language :: Python :: 3.15
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: POSIX :: Linux
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: virtualenv~=21.2.0
+Dynamic: license-file
+
+# PipCanary
+
+## Features
+
+- Detects Supply Chain Attacks in Python packages
+
+- Makes sure that new package releases are only installed after a cool down period, so secuity scanners have time to detect vulnerabilities
+
+## Maturity
+
+The project is in early stages. However, it's safer to use this than pip, poetry or uv alone.
+
+## Requirements
+
+- Linux 
+
+- [Python](https://www.python.org/) 3.10 or higher
+
+- [bubblewrap](https://github.com/containers/bubblewrap)
+
+- [strace](https://strace.io)
+
+- [pip](https://pip.pypa.io/en/stable/getting-started/)
+
+## Installation
+
+```bash
+    pip install pipcanary
+```
+
+## Execution
+
+Check your requirements for potential Supply Chain Attacks
+
+```bash
+    pipcanary -r requirements.txt
+```
+
+Sample output when all is fine...
+
+```text
+    ...
+    All packages appear to be safe!    
+```
+
+Sample output if a potential attack is detected...
+
+```text
+    ...
+    Found suspicious access to /root/.ssh in package evilpack
+
+    This could be dangerous!!!
+    Don't install this package under any circumstances until you know for sure that this is a false positive!
+    In doubt, contact the package maintainers!
+```
+
+Sample output when packages were updated during the cooling of phase of one week...
+
+```text
+    ...
+    Package click 8.3.2 was updated too recently: 2026-04-03T19:14:45. 
+    It might be safer to use an older version.
+    Consider click<=8.3.1 or earlier and check for potential known vulnerabilities of this version.
+    If you are certain that the latest upload is safe, add the following argument...
+    --allow-upload-time='click<=2026-04-03T19:14:45'
+
+    Package Werkzeug 3.1.8 was updated too recently: 2026-04-02T18:49:14. 
+    It might be safer to use an older version.
+    Consider Werkzeug<=3.1.7 or earlier and check for potential known vulnerabilities of this version.
+    If you are certain that the latest upload is safe, add the following argument...
+    --allow-upload-time='Werkzeug<=2026-04-02T18:49:14'
+
+    The following packages were uploaded too recently: click, Werkzeug
+```
+
+## Similar Projects
+
+- [pip-audit](https://github.com/pypa/pip-audit)
+
+## Further Information on PyPi Suppy Chaion Attacks
+
+- [How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM](https://snyk.io/de/articles/poisoned-security-scanner-backdooring-litellm/)
+- [The Team PCP Snowball Effect: A Quantitative Analysis](https://blog.gitguardian.com/team-pcp-snowball-analysis/)

pipcanary-0.0.3/src/pipcanary.egg-info/SOURCES.txt

@@ -0,0 +1,17 @@
+LICENSE
+MANIFEST.in
+README.md
+pyproject.toml
+src/pipcanary/__init__.py
+src/pipcanary/__main__.py
+src/pipcanary/module_loader.py
+src/pipcanary/packages.py
+src/pipcanary/pipcanary.py
+src/pipcanary/sbpip_scan.sh
+src/pipcanary/strace_scanner.py
+src/pipcanary.egg-info/PKG-INFO
+src/pipcanary.egg-info/SOURCES.txt
+src/pipcanary.egg-info/dependency_links.txt
+src/pipcanary.egg-info/entry_points.txt
+src/pipcanary.egg-info/requires.txt
+src/pipcanary.egg-info/top_level.txt

pipcanary-0.0.3/src/pipcanary.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

pipcanary-0.0.3/src/pipcanary.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+pipcanary = pipcanary.pipcanary:pipcanary

pipcanary-0.0.3/src/pipcanary.egg-info/requires.txt

@@ -0,0 +1 @@
+virtualenv~=21.2.0

pipcanary-0.0.3/src/pipcanary.egg-info/top_level.txt

@@ -0,0 +1 @@
+pipcanary