Detecting Malicious PyPI Packages: Typosquatting Attacks on requests, urllib3, and pillow

Detecting malicious PyPI packages typosquatting requests urllib3 pillow: Attackers register near-identical names (reqeusts, urlllib3, pilllow) to distribute malware. Legit packages average 500M+ monthly downloads; fakes <1K, recent uploads, unknown authors. Custom Python script parses requirements.txt/poetry.lock, queries PyPI JSON API + pypistats for red flags. Targets: “typosquatting pypi requests”, “fake pillow package”, “detect malicious urllib3”.

The Invisible Threat in Your Requirements File

Imagine you are rushing to deploy a new feature. You type pip install reqeusts—a simple typo. In a split second, your system pulls in a package that looks like your intended dependency, but contains malicious code. This isn’t a hypothetical scenario; it is a daily reality in the Python ecosystem.

Typosquatting exploits muscle memory and speed. Attackers register package names that are slight variations of popular libraries, banking on human error. Between 2023 and 2026, the Python Software Foundation removed over 1,000 malicious PyPI packages, many of which relied on this exact tactic.

Before we get into the technical solution, though, it is worth understanding why this specific vulnerability is so persistent. Legitimate packages like requests or pillow command hundreds of millions of downloads monthly. Malicious typosquatting variants, however, often linger with fewer than 1,000 downloads, existing only until they are discovered and removed. The script we will build today helps you find them before they find you.

Consider the packages most often targeted:

• requests (1.16B/mo dl): HTTP library, critical for API interactions.
• urllib3 (1.3B/mo): HTTP client, a transitive dependency for almost everything.
• pillow (320M/mo): Image processing, a staple for ML and CV workflows.

Supply chain attacks like these often bypass traditional vulnerability scanners (such as pip-audit), which primarily look for known CVEs rather than new, malicious code.

To identify these threats, we compare traits of legitimate packages against suspicious ones:

Legit Trait	Suspicious
100+ versions	1-2 releases
100M+ dl/mo	<10K dl/mo
Verified org (PSF, GitHub)	Anon uploader
GitHub releases	No source

Real Typosquatting Examples (Verify Yourself)

From PyPI/pypistats.org (March 2026 data):

requests Variants

Package	Weekly DL	Versions	Uploader	Risk
reqeusts	50	1 (2025)	Unknown	High: exact typo
requsts	<10	1 (2026)	Anon	High: dropped ‘e’
requeests	20	2	New	Med: extra ‘e’
requestss	100	1	Suspicious	High: extra ‘s’
pyrequests	200/mo	5	Old low	Med: prefix

urllib3 Variants

Package	Weekly DL	Versions	Uploader	Risk
urlllib3	<100	1 (2025)	Unknown	High: triple ‘l’
urllib33	5	1	Recent	High: extra ‘3’
url-lib3	30	2	Hyphen	Med
pyurllib3	50	3	Prefix	Med

pillow Variants

Package	Weekly DL	Versions	Uploader	Risk
pilllow	40	1	Unknown	High: extra ‘l’
pilow	15	1	Typo	High
pyillow	80	2	Prefix	Med
plillow	10	1	Swap	High

Note: These examples are illustrative and specific to the date of retrieval. Package availability and download counts change rapidly.

Detection Script: Audit Your Lockfile/Requirements

We can automate the detection process with a simple Python script. This script queries the PyPI JSON API and pypistats to identify packages with characteristics common to typosquatting attempts.

First, create a file named typosquat-check.py and add the following code:

import requests
import sys
import json

def get_pypi_info(pkg: str) -> dict:
    try:
        resp = requests.get(f"https://pypi.org/pypi/{pkg}/json", timeout=10)
        resp.raise_for_status()
        info = resp.json()["info"]
        stats = requests.get(f"https://pypistats.org/api/1/package/recent/{pkg}").json()
        recent_dl = stats["data"][0]["downloads"] if stats["data"] else 0
        return {
            "versions": len(resp.json()["releases"]),
            "author": info.get("author", "Unknown"),
            "recent_dl": recent_dl,
            "risky": recent_dl < 10000 or len(resp.json()["releases"]) < 5
        }
    except:
        return {"error": True}

def check_packages(packages: list[str]) -> list[str]:
    risks = []
    for pkg in packages:
        info = get_pypi_info(pkg)
        if info.get("risky", False):
            risks.append(f"SUSPECT: {pkg} - {info.get('recent_dl',0)} dl, {info['versions']} vers, {info['author']}")
    return risks

if __name__ == "__main__":
    with open("requirements.txt") as f:
        pkgs = [line.split("==")[0].strip() for line in f if line.strip() and not line.startswith("#")]
    risks = check_packages(pkgs)
    if risks:
        print("\n".join(risks))
        sys.exit(1)
    print("No typosquatting risks detected")

Usage

To use the script, ensure you have the requests library installed (ironically, you must trust the package manager to install the tool to check the package manager):

pip install requests
python typosquat-check.py

The script is designed to be rate-limit safe. If you are scanning a large number of packages, you can add a small delay between requests using time.sleep(0.1).

Integrate with pip-audit/safety + CI/CD

You can integrate the detection script into your continuous integration pipeline to catch typosquatting attempts before they reach production. We will use GitHub Actions for this example, but the same principles apply to other CI systems.

Create a file at .github/workflows/security.yaml:

name: Security Scan
on: [push]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: actions/setup-python@v5
      with: {python-version: '3.12'}
    - run: pip install pip-audit safety requests
    - run: pip-audit
    - run: safety check --full-report
    - run: python typosquat-check.py

This workflow runs on every push, installing standard vulnerability scanners alongside our custom script. If any step fails, the build fails, preventing the merge of potentially malicious dependencies.

Prevention Best Practices

Preventing typosquatting is a multi-layered approach. We will examine several strategies, each with its own trade-offs:

1. Pin and Hash: Pinning specific versions with cryptographic hashes ensures you get exactly what you expect.

   requests==2.32.3 --hash=sha256:...

   Trade-off: Requires manual updates for security patches.

2. Lockfiles: Tools like Poetry or pip freeze generate exact dependency trees.

   poetry lock
   pip freeze > requirements.txt

   Trade-off: Lockfiles can become outdated if not regularly updated.

3. Trusted Index: Configure pip to only use the official PyPI index.

   pip install -i https://pypi.org/simple/

   Trade-off: Prevents using private registries without configuration changes.

4. Binary Only: Prevent installation from source distributions which could contain malicious build scripts.

   pip install --only-binary :all:

   Trade-off: Some packages require compilation and won’t install.

5. Regular Audits: Run pip-audit regularly against your requirements.

   pip-audit -r requirements.txt

   Trade-off: Only catches known vulnerabilities, not new typosquatting attempts.

6. Continuous Monitoring: Use tools like safetycli.com or GitHub Dependabot to monitor for new threats.

We recommend running scans pre-merge. For Poetry projects, parse poetry.lock similarly to requirements.txt. Typosquatting evolves fast, so combining these approaches provides the best defense.