{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/malicious-package/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["guardrails-ai (== 0.10.1)"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","pypi","malicious-package"],"_cs_type":"advisory","_cs_vendors":["Guardrails AI"],"content_html":"\u003cp\u003eOn May 11, 2026, a malicious version (0.10.1) of the \u003ccode\u003eguardrails-ai\u003c/code\u003e package was published to the Python Package Index (PyPI). The compromised package was identified by security researchers within approximately two hours, leading to its subsequent quarantine by PyPI. Any user who installed \u003ccode\u003eguardrails-ai==0.10.1\u003c/code\u003e from PyPI on May 11, 2026, is potentially affected. While Guardrails AI has not observed any data exfiltration through their systems, users are advised to take immediate remediation steps, including downgrading to version 0.10.0 and treating affected hosts as potentially compromised. This supply chain compromise could lead to credential theft and unauthorized access to sensitive resources. The incident highlights the risks associated with relying on third-party packages and the importance of verifying package integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises the PyPI account or infrastructure used to publish the \u003ccode\u003eguardrails-ai\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the \u003ccode\u003eguardrails-ai\u003c/code\u003e version 0.10.1 package.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes the malicious \u003ccode\u003eguardrails-ai\u003c/code\u003e 0.10.1 package to PyPI.\u003c/li\u003e\n\u003cli\u003eDevelopers unknowingly install the compromised \u003ccode\u003eguardrails-ai==0.10.1\u003c/code\u003e package using \u003ccode\u003epip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpon execution, the malicious code within the installed package attempts to exfiltrate sensitive data, such as credentials (GitHub PATs, cloud provider keys, package registry tokens, API keys) from the compromised host.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated credentials could then be used to gain unauthorized access to GitHub accounts and other cloud resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may create unauthorized workflows or repositories using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised GitHub account or cloud resources to further propagate malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe malicious \u003ccode\u003eguardrails-ai\u003c/code\u003e 0.10.1 package could lead to the compromise of developer machines and the theft of sensitive credentials, including GitHub Personal Access Tokens (PATs), cloud provider keys, and API keys. If successful, attackers could gain unauthorized access to GitHub accounts, cloud resources, and other sensitive systems. The immediate impact includes potential data breaches, supply chain attacks, and service disruptions. Guardrails AI has invalidated all Snowglobe and Guardrails Hub API keys as a precaution, requiring users to rotate them to avoid service interruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDowngrade immediately to \u003ccode\u003eguardrails-ai==0.10.0\u003c/code\u003e as advised in the overview to mitigate the risk of running the malicious code.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect guardrails-ai Package Installation\u0026rdquo; Sigma rule to identify potentially compromised systems that installed the malicious package.\u003c/li\u003e\n\u003cli\u003eRotate any credentials accessible from machines that installed version 0.10.1, including GitHub PATs, cloud provider keys, and package registry tokens, as described in the overview.\u003c/li\u003e\n\u003cli\u003eAudit your GitHub account for unauthorized workflows or repositories as recommended in the advisory overview.\u003c/li\u003e\n\u003cli\u003eRotate Snowglobe and Guardrails Hub API keys before May 13, 2026, at 2:00 PM Pacific to avoid service interruptions, as mentioned in the advisory overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T15:41:27Z","date_published":"2026-05-19T15:41:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-guardrails-ai-supply-chain/","summary":"A malicious version of the guardrails-ai package (0.10.1) was published to PyPI on May 11, 2026, advising users who installed this version to downgrade and treat the host as potentially compromised, rotating credentials and auditing GitHub accounts, with Snowglobe and Guardrails Hub API keys being invalidated on May 13, 2026.","title":"Malicious guardrails-ai 0.10.1 Package Published to PyPI","url":"https://feed.craftedsignal.io/briefs/2026-05-guardrails-ai-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — Malicious-Package","version":"https://jsonfeed.org/version/1.1"}