Paramiko

registryPyPI

package nameparamiko

maintainerParamiko Contributors

Paramiko is the standard Python library for SSH2 protocol implementation, used in deployment scripts, server automation, and CI/CD pipelines for remote command execution and SFTP file transfers. It manages SSH private keys, known_hosts verification, and interactive shell sessions to production servers.

api usage

Checking Paramiko

paramiko 3.4.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=paramiko&version=3.4.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "paramiko",
  "version": "3.4.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

SSH libraries handle private key material directly. A compromised version can exfiltrate private keys loaded by the application or capture passwords entered for key decryption, providing persistent access to every server the key grants entry to.

Attestd monitors paramiko using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages Requests HTTPX Response fields