This work proposes PyGuard, a novel framework for detecting malicious packages on PyPI that overcomes the limitations of existing syntax-rule-based tools, which suffer from high false positive rates (15–30%) and struggle to distinguish between semantically benign and malicious uses of identical APIs. PyGuard integrates knowledge mining with large language model–driven semantic abstraction to construct a transferable semantic behavior knowledge base across software ecosystems. It employs hierarchical behavioral pattern extraction, contextual reasoning, and precise matching to achieve high detection accuracy. Evaluated on PyPI, PyGuard attains 99.50% accuracy with only two false positives—dramatically outperforming baseline methods (which yield 1,927–2,117 false positives)—and maintains robustness against obfuscated code with 98.28% accuracy. The framework also identifies 219 previously unknown malicious packages and demonstrates cross-language effectiveness on NPM with 98.07% accuracy.

The Python Package Index (PyPI) has become a target for malicious actors, yet existing detection tools generate false positive rates of 15-30%, incorrectly flagging one-third of legitimate packages as malicious. This problem arises because current tools rely on simple syntactic rules rather than semantic understanding, failing to distinguish between identical API calls serving legitimate versus malicious purposes. To address this challenge, we propose PyGuard, a knowledge-driven framework that converts detection failures into useful behavioral knowledge by extracting patterns from existing tools'false positives and negatives. Our method utilizes hierarchical pattern mining to identify behavioral sequences that distinguish malicious from benign code, employs Large Language Models to create semantic abstractions beyond syntactic variations, and combines this knowledge into a detection system that integrates exact pattern matching with contextual reasoning. PyGuard achieves 99.50% accuracy with only 2 false positives versus 1,927-2,117 in existing tools, maintains 98.28% accuracy on obfuscated code, and identified 219 previously unknown malicious packages in real-world deployment. The behavioral patterns show cross-ecosystem applicability with 98.07% accuracy on NPM packages, demonstrating that semantic understanding enables knowledge transfer across programming languages.