Django

registryPyPI

package namedjango

maintainerDjango Software Foundation

Django is the most widely used full-stack Python web framework, providing an ORM, authentication system, admin interface, and template engine. It powers a large share of Python web applications across industries. The Django ORM reads database credentials from settings.py, and the auth system handles plaintext passwords during login.

api usage

Checking Django

django 5.1.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=django&version=5.1.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "django",
  "version": "5.1.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Full-stack web frameworks process authentication requests, including plaintext passwords before hashing. A compromised version can capture passwords at the login step and exfiltrate session tokens and database credentials loaded from the settings module.

Attestd monitors django using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages SQLAlchemy Celery Flask Response fields