CyberScan intercepts Python package installs, scans them against 1,800+ known malicious packages and deep behavioral analysis — before a single line of code runs on your machine.
npm install -g github:AmazinCS/CyberScanner
The problem
The Python package ecosystem is the most targeted in software supply chain attacks. Malicious packages get published to PyPI daily — and pip has no built-in protection. One bad install is all it takes.
Attackers publish packages with names like reqeusts or numpy-base — one typo and your machine is compromised.
Real packages like ultralytics have had specific versions compromised. pip has no way to warn you.
setup.py executes during pip install. Attackers embed shell commands, backdoors, and data exfiltration in that single file.
How it works
Every package name is instantly checked against the DataDog malicious package dataset — 1,800+ confirmed PyPI threats. Known bad packages are blocked before anything is downloaded.
→The package is downloaded but NOT installed. CyberScan opens every .py file and scans for dangerous execution patterns — system calls, shell injection, obfuscated payloads, install-time execution.
→A weighted risk score is calculated. LOW RISK packages install automatically with no interruption. HIGH RISK packages are blocked outright — no prompts, no exceptions. Trusted packages like numpy and pandas are never falsely flagged.
Features
Built to fit into how developers actually work — not force a new workflow.
Every scan happens entirely on your machine. No package names, no code, no metadata ever leaves your terminal. Critical for teams with compliance requirements.
Doesn't just check a blocklist — actively reads package code looking for os.system calls, subprocess abuse, base64 payloads, shell injection, and more.
Each suspicious pattern is scored individually. Combination attacks — like base64 paired with exec() — are scored higher. You see exactly why something was blocked.
The malicious package database auto-refreshes every 24 hours directly from DataDog's live dataset. You're always protected against the latest known threats.
Run cyberscan repo <url> to scan any GitHub repo before cloning or running it. Shallow-clones, scans all Python and shell scripts, then reports risk — no installation needed.
numpy, pandas, requests, flask, and other mature libraries use advanced patterns internally. CyberScan recognises this — they're never falsely flagged as high risk from legitimate internal code.
Why CyberScan
There is no other tool that combines real-time threat intelligence, deep behavioral analysis, and complete local privacy — all in a single pip-native CLI command.
Every competing tool sends your package data to a cloud server to scan it. CyberScan never does. If your organisation handles sensitive code, classified data, or has strict network policies — CyberScan is the only tool that works for you.
Known-malware database checks catch confirmed threats instantly. Behavioral analysis catches new, unknown threats that have never been seen before. No other pip tool does both — you need both.
Most tools compare package names and version numbers. CyberScan actually opens the files and reads the code — catching obfuscated payloads, suspicious combinations, and novel attack patterns that a database alone will never detect.
base64 alone is harmless. exec() alone can be legitimate. base64 + exec() together is how 80% of PyPI malware executes its payload. CyberScan understands context — not just keywords.
Detection engine
Each pattern is scored and weighted. High-risk combinations trigger bonus scoring.
Pricing
The CLI is free forever. Teams and enterprises get centralized control, reporting, and compliance tools.
Install CyberScan in 30 seconds. Free forever for individual developers.