An open security organization focused on practical supply chain defense.

Vipyr Security exists to make software supply chains more resilient. We run systems that ingest package activity, distribute analysis jobs, scan package contents, support package reporting, and publish research that helps defenders stay current. The model is simple: protect people who use package ecosystems every day without asking them to become security operators first.

Read research Review projects

Operating scope

Monitor

Use package feed intake and supporting tooling to identify new releases worth immediate review.

Respond

Route analysis through queue, review, and reporting systems that can turn detections into package reports and follow-up.

Publish

Document campaigns, techniques, and ecosystem lessons in public research instead of keeping signal private.

Vipyr is designed to strengthen open source ecosystems, not just describe the problem.

Vipyr Security contributes practical security work across package intake, malware analysis, reporting, authenticated review surfaces, and public documentation. The emphasis stays on explainability and usefulness.

What the work looks like

Load new releases from package feeds, assign work through Dragonfly, scan distributions and files, review the results, report malicious packages, and publish what was learned.

Who that protects

Students, teachers, developers, maintainers, and businesses can all be hit by one typo package or one malicious dependency. Vipyr exists to narrow that gap for free, while staying community-rooted and open to practical contributions.

Clear standards for how Vipyr conducts security work.

We value explainable analysis, public collaboration, and practical remediation that leads to real outcomes.

Signal over noise

The goal is to understand packages well enough to act on them: what was published, what it contains, how it behaved, and what response it needs.

Open collaboration

Vipyr operates in public, keeps major workflow components inspectable, and coordinates through public tooling and community-facing interfaces.

Practical remediation

Detection is only useful when it leads to action, whether that means package reporting, queue triage, ecosystem coordination, or published analysis.

Context that still matters.

A few direct answers help explain how Vipyr started, why it operates in public, and how people can contribute.

How did Vipyr Security start?

In March 2023, a surge of malware was observed on PyPI. Manual review quickly turned into a repeatable operational need, and Vipyr grew out of the effort to detect, triage, and eliminate malicious packages at scale.

Why operate without a product to sell?

Vipyr is focused on operating useful security systems, not packaging a commercial story around them. The priority is public capability: package intake, scanning workflows, reporting paths, and research defenders can actually apply, without requiring end users to install anything first.

How can people get involved?

The repositories are open source, the research is public, and the community remains accessible. The best contributions are practical ones: engineering, analysis, documentation, and responsible collaboration.