OpenAI SDK (Python)

registryPyPI

package nameopenai

maintainerOpenAI

The official OpenAI Python SDK for the GPT-4o, o3, and o1 model families. It handles authentication, streaming, function calling, and batch requests against the OpenAI REST API. Projects using this SDK pass their OpenAI API key through the client, and any usage runs against the key owner's billing account.

api usage

Checking OpenAI SDK (Python)

openai 1.40.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=openai&version=1.40.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "openai",
  "version": "1.40.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

API key injection is the primary risk: a backdoored SDK reads the API key from the environment and sends it to an attacker-controlled endpoint before any model call is made, granting full programmatic access to the key owner's account and spend.

Attestd monitors openai using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages Anthropic SDK (Python)LangChain LiteLLM Response fields