The Python Package Authority (PyPA) disclosed CVE-2026-3219 on April 20, 2026, a medium-severity flaw in pip that opens a new vector for supply-chain attacks. The vulnerability allows a specially crafted file—a polyglot combining ZIP and tar data—to be misidentified as a ZIP archive even when the file extension is .tar.gz. This parsing ambiguity can lead pip to silently extract the ZIP contents during installation, bypassing the usual integrity checks associated with source distributions.

pip, the default package installer for Python, handles two primary package formats: source distributions (sdists, typically .tar.gz files) and wheels (.whl files, which are ZIP archives). When installing from a source distribution, pip extracts the archive and executes the setup.py or build system. Wheels are pre-built and often faster to install, but sdists remain common for packages that include native code or for environments where pre-built wheels aren't available. The flaw sits in pip's archive sniffing logic, which determines how to unpack a downloaded file based on its content magic bytes. If a file begins with a valid local file header signature (PK\x03\x04) and also contains a tar header later, pip could erroneously treat the entire file as a ZIP, ignoring the tar wrapper intended by the author.

An attacker can exploit this by crafting a polyglot: a tar file with a prepended ZIP chunk. When uploaded to PyPI—or any custom index—pip will download the file, see the .tar.gz extension, but then read the ZIP header and proceed to install the ZIP payload. The ZIP could contain a malicious setup.py or pre-compiled .pyd/.dll on Windows, granting arbitrary code execution during the install phase. Since the filename suggests a source distribution, many developers and automated build systems may not flag it as suspicious.