Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

Vulnerability

On May 11, 2026, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI as part of a broader supply chain campaign [1][2][3][4]. Any user who installed guardrails-ai==0.10.1 from PyPI on that date is affected; versions 0.10.0 and earlier are safe [1][2]. The malicious package was identified within approximately two hours, and PyPI quarantined the repository [2][3].

Exploitation

The attacker uploaded the malicious package to PyPI, requiring no special network position or authentication from the victim beyond a standard pip install guardrails-ai command [1][2][4]. Users who upgraded to or freshly installed version 0.10.1 during the window between publication and quarantine (less than two hours) would have retrieved the malicious code onto their local environment [2][4].

Impact

If installed, the malicious code could compromise the host system. Based on vendor telemetry, no requests to Guardrails AI infrastructure originated from the malicious version, and no evidence of user data exfiltration through their systems has been observed [1][2][3][4]. However, any credentials (GitHub PATs, cloud provider keys, package registry tokens, API keys) accessible from that machine are considered potentially exposed, and the host should be treated as compromised [2][3][4].

Mitigation

No patched version above 0.10.1 is available yet; users should downgrade to 0.10.0, which is unaffected [1][2][3][4]. While PyPI quarantine is active, users can install directly from GitHub via pip install git+https://github.com/guardrails-ai/guardrails.git@v0.10.0 [2][3][4]. Those who installed 0.10.1 must rotate all credentials accessible from the host and audit GitHub accounts for unauthorized activity [2][3][4]. Snowglobe and Guardrails Hub API keys will be invalidated on May 13, 2026; users should rotate them before then [1][2][3][4].