Apache Airflow

registryPyPI

package nameapache-airflow

maintainerApache Software Foundation

Apache Airflow is the standard open-source workflow orchestration platform for data engineering pipelines, scheduling and monitoring DAGs that connect to databases, cloud services, and third-party APIs. It stores connection credentials (database passwords, cloud keys, API tokens) in the Airflow metadata database and the secrets backend. Production Airflow deployments often hold credentials for every data system in the organization.

api usage

Checking Apache Airflow

apache-airflow 2.10.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=apache-airflow&version=2.10.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "apache-airflow",
  "version": "2.10.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Workflow orchestrators are high-value targets because they aggregate credentials from every system they connect to. A compromised Airflow package can exfiltrate the entire connections store, which typically includes cloud provider keys, database credentials, and API tokens.

Attestd monitors apache-airflow using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages Celery Prefect Dagster Response fields