Otsmane-Ahmed

Otsmane-Ahmed / KEIP

Public

Kernel-Enforced Install-Time Policies (KEIP): An eBPF/LSM based security tool that detects and blocks malicious network activity during pip install.Kernel-Enforced Install-Time Policies (KEIP): An eBPF/LSM based security tool that detects and blocks malicious network activity during pip install

cybersecurity ebpf linux lsm malware-analysis
28
2
100% credibility
Found Feb 20, 2026 at 14 stars 2x -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

KEIP is a Linux security tool that monitors Python package installations in real-time and blocks those making suspicious network connections to prevent malware during setup.

How It Works

1
🔍 Discover KEIP

You hear about a helpful protector that keeps your computer safe when adding new Python tools from the internet by watching what they do during setup.

2
Check readiness

You quickly see if your Linux computer has the updates needed to run the protector smoothly.

3
🛠️ Prepare your system

You add a few basic helpers to your computer so the protector can work its magic.

4
📦 Install the guardian

With one easy step, you place the protector right onto your system where it can watch everything.

5
▶️ Turn it on

You start the protector, and it begins quietly watching all Python tool additions across your computer.

6
🧪 Try adding a tool

You install a new Python helper, and the protector shows it's safely allowing normal connections or stopping sneaky ones.

🛡️ Protected installs

Now every time you add Python tools, the guardian keeps bad actors out, letting you work worry-free.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 14 to 28 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is KEIP?

KEIP delivers kernel-enforced install-time policies via eBPF/LSM, detecting and blocks malicious network activity during pip install. This Python tool watches pip and Python processes system-wide, killing installs that hit suspicious ports beyond 80/443/53 or contact over five unique IPs. It targets setup.py exploits in supply chain attacks, like credential theft, without signatures or slowdowns.

Why is it gaining traction?

Unlike static scanners that miss obfuscated code or sandboxes adding seconds to CI/CD, KEIP enforces behavioral rules at kernel level during install—unbypassable and under 50ms overhead. Users get real-time connection logs, quiet mode for pipelines, and configurable rules via JSON for ports, IPs, and bytes. It fills the gap where 56% of attacks happen, standing out from runtime tools like Falco.

Who should use this?

Security engineers securing Python workflows in fintech or research labs with heavy pip usage. DevOps teams protecting CI/CD pipelines from malicious packages without build delays. Python maintainers evaluating tools like keip daniel or keiper variants for kernel-enforced install protection.

Verdict

Worth testing for pip-heavy setups needing active defense—setup, run with `sudo keip`, and uninstall cleanly. At 11 stars and 1.0% credibility, it's immature with planned features like exfiltration detection; prototype in VMs before prod.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.