Technical description
On May 11, 2026, an attacker published a malicious version of the guardrails-ai Python package (version 0.10.1) to PyPI. The malicious package contains embedded code (CWE-506) that exfiltrates credentials accessible from the installing machine. Security researchers identified and quarantined the package within approximately two hours of publication. The CVE was formally assigned and published on June 5, 2026. Guardrails AI maintainers state that telemetry shows no exfiltration through their own infrastructure, but any credentials present on an affected machine at install time should be considered compromised.
Attack vector
Dependency install: any developer or CI/CD pipeline that ran 'pip install guardrails-ai==0.10.1' on May 11, 2026 would have executed the malicious payload. The attacker used a typosquatting or account-takeover vector to publish under the legitimate package name.
Affected systems
Systems where guardrails-ai version 0.10.1 was installed from PyPI on May 11, 2026. Guardrails AI is a widely deployed Python framework for adding validation and safety rails to LLM applications, used across enterprise AI pipelines.
Mitigation
Upgrade to guardrails-ai 0.10.2 or downgrade to 0.10.0 (both unaffected). Rotate all credentials accessible from any machine that installed version 0.10.1, including: GitHub PATs, cloud provider keys (AWS/GCP/Azure), package registry tokens, and LLM API keys. Audit GitHub accounts for unauthorized workflows or repositories. Check pip install logs and CI/CD job histories for version 0.10.1.