I Built a Supply Chain Scanner for Python — pip Has the Same Problem as npm

Every week there's a new npm supply chain attack story. But here's the thing nobody talks about: PyPI has the exact same problem. Last year, researchers found over 400 malicious packages on PyPI in a single month. Typosquatting, dependency confusion, and install-time code execution — all the same attack vectors as npm. So I built a scanner for Python packages too. Why PyPI Is Actually Worse npm has npm audit . Python has... nothing built-in. pip install runs setup.py with full system access — no sandbox PyPI has no package signing by default No built-in security advisory database requirements.txt doesn't lock hashes by default The Scanner I wrote pypi-typosquat-scanner — same concept as my npm scanner , but for Python: python scanner.py --package requests python scanner.py --top 100 python scanner.py --file requirements.txt It generates typo variations, checks if they exist on PyPI, and flags suspicious ones based on: Presence of network calls in setup.py Single maintainer + recent upl