n
#PIXO_NEWS
← Back to news
Web DevPypi.orgPublished May 30, 2026

Malicious Package Detected on PyPI: langchain-twosio

Someone pushed langchain-twosio to PyPI trying to impersonate the real LangChain library. Not a typo. This was deliberate. The package was sitting there long enough that devs could've pulled it into their projects without realizing they were installing malware instead of the legitimate tool.

PyPI's maintainers caught it and nuked the package, which is good. But here's the thing: if you ran a pip install in the last few days without being specific about which langchain you wanted, you might have grabbed the fake one. Your machine could be compromised right now. The attack leverages the trust people have in package managers and the split-second decision most devs make when installing dependencies.

This is a supply chain attack, and it's getting easier to pull off. Check your pip history. Verify what's actually installed on your system. If you got the bad package, nuke your environment and rebuild it clean.

Share:XFacebookWhatsApp
Source:pypi.org

How to Protect Yourself — Step by Step

For Python developers

  1. 1Check your installed packages immediately by running 'pip list | grep langchain' in your terminal to see what version you have.
  2. 2If you see 'langchain-twosio' or any langchain package installed in the last few days, isolate that environment — don't run any code with it.
  3. 3Run 'pip show langchain-twosio' to confirm the installation path and timestamp, then delete the entire virtual environment or use 'pip uninstall langchain-twosio'.
  4. 4Audit your recent pip install commands in your shell history (check ~/.bash_history or ~/.zsh_history) to see if you installed anything suspicious.
  5. 5If you installed the fake package, rotate any credentials that were in use on that machine — API keys, passwords, tokens, everything.
  6. 6Going forward, always specify exact versions in requirements.txt instead of just 'langchain'. Use 'langchain==0.x.x' not just 'langchain'.
  7. 7Consider using a tool like pip-audit or safety to scan your dependencies for known malicious packages before pulling new code into production.
Summary: Check installed packages immediately, isolate compromised environments, rotate credentials, and lock dependency versions in the future.
Related Articles