Security Advisory: Malicious code in guardrails-ai 0.10.1
**Status:** Active. Package quarantined on PyPI. Tracking issue: [#1473](https://github.com/guardrails-ai/guardrails/issues/1473).
Loading actions...
Skill content
Main instructions and any bundled files for this skill.
Security Advisory: Malicious code in guardrails-ai 0.10.1
Status: Active. Package quarantined on PyPI. Tracking issue: #1473.
Affected version: guardrails-ai==0.10.1 on PyPI
Safe version: guardrails-ai==0.10.0 and earlier
Severity: Critical
Published: May 12, 2026
Last updated: May 12, 2026
Summary
On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai (0.10.1) to PyPI. This compromise was part of a broader supply chain campaign affecting multiple open source packages during the same timeframe. Security researchers identified the malicious package within approximately 2 hours, and PyPI quarantined the repository.
Based on our telemetry, we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through our systems.
If you installed guardrails-ai==0.10.1 from PyPI on May 11, 2026, your local environment may be compromised. See What you need to do below.
What you need to do
1. Do not install guardrails-ai==0.10.1
The package is quarantined on PyPI, but pin explicitly to be safe:
guardrails-ai==0.10.0
2. While PyPI quarantine is active, install directly from GitHub
pip install git+https://github.com/guardrails-ai/[email protected]
The v0.10.0 tag in this repository is clean. We will update this advisory when the quarantine is lifted and a safe replacement is available on PyPI.
3. If you installed 0.10.1, treat the host as potentially compromised
- Uninstall the package:
pip uninstall guardrails-ai - Rotate every credential accessible from that machine: GitHub PATs, cloud provider keys, package registry tokens, API keys for any service you have logged into
- Audit your GitHub account and any GitHub organizations you have write access to for unauthorized workflows, new repositories, or unexpected commits
- Consider a full machine reimage if the host handles sensitive credentials
4. Snowglobe and Guardrails Hub users: rotate your API keys
All Snowglobe API keys will be invalidated at 2:00 PM Pacific, May 13, 2026. Rotate yours before then to avoid service interruption. We have no evidence Snowglobe or Guardrails Hub keys were exposed; we are rotating proactively.
How it happened
- An employee's GitHub Personal Access Token was compromised.
- Using the PAT, the attacker triggered a GitHub Action across 30 repositories in the
guardrails-aiorganization that produced artifacts containing repository secrets. - Deploy tokens extracted from those artifacts were used to publish the malicious
guardrails-ai==0.10.1to PyPI.
The attacker also unsuccessfully attempted to:
- Access the Ray cluster used to serve remote validator inferencing
- Publish malicious versions to additional public package systems
What we have done
- Rotated all tokens across the GitHub organization and individual repositories
- Reset the compromised employee's accounts and factory-reset their devices
- Taken the Ray cluster and validator hub offline
- Audited system and access logs (no evidence of user data exfiltration found)
- Confirmed via telemetry that we have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 package
- Restoring the Ray cluster and validator hub on rotated credentials
- Forcing rotation of all Snowglobe and Guardrails Hub API keys at 2:00 PM PT, May 13, 2026
- Reviewing our GitHub Actions configurations, secret scoping, and PAT policies organization-wide
- Restricting creation of classic Github PATs (i.e. classic tokens cannot access the org)
- Fine grained Github PATs require approval and an expiration
- ALL commits to any branch on any repository within the org must have a verified signature
- Worked with PyPI to lift the quarantine and publish a clean release (tracked in #1473)
What we are doing next
- Publishing a more detailed postmortem in the coming days
Contact
- Security questions: [email protected]
- General questions: file an issue on this repository or post in our Discord
- We will continue updating this document as new information becomes available
References
- Tracking issue: #1473
- GHSA: GHSA-xmpw-2vmm-p4p6
- CVE: CVE-2026-45758
- Related supply chain campaign: CVE-2026-45321 (TanStack)
Related Skills
Frontend Typescript Linting.mdc
TypeScript and ESLint rules that MUST be followed when creating, modifying, or reviewing any file under apps/frontend/, including .ts, .tsx, .js, and .jsx files. Also apply when discussing frontend li...
2. Apply Deepthink Protocol (reason about dependencies
risks