Many Hands Make Light Work: An LLM-based Multi-Agent System for Detecting Malicious PyPI Packages

TL;DR

This paper introduces LAMPS, a multi-agent system leveraging collaborative large language models to effectively detect malicious packages in open-source repositories, demonstrating high accuracy and modular reasoning capabilities.

Contribution

The paper presents a novel multi-agent framework using LLMs for malicious code detection, combining role-specific agents and a modular architecture for improved interpretability and performance.

Findings

LAMPS achieves 97.7% accuracy on balanced dataset D1.

LAMPS reaches 99.5% accuracy on realistic dataset D2.

Distributed LLM reasoning enhances malicious code detection effectiveness.

Abstract

Malicious code in open-source repositories such as PyPI poses a growing threat to software supply chains. Traditional rule-based tools often overlook the semantic patterns in source code that are crucial for identifying adversarial components. Large language models (LLMs) show promise for software analysis, yet their use in interpretable and modular security pipelines remains limited. This paper presents LAMPS, a multi-agent system that employs collaborative LLMs to detect malicious PyPI packages. The system consists of four role-specific agents for package retrieval, file extraction, classification, and verdict aggregation, coordinated through the CrewAI framework. A prototype combines a fine-tuned CodeBERT model for classification with LLaMA-3 agents for contextual reasoning. LAMPS has been evaluated on two complementary datasets: D1, a balanced collection of 6,000 setup.py files, and D2, a realistic multi-file dataset with 1,296 files and natural class imbalance. On D1, LAMPS achieves 97.7% accuracy, surpassing MPHunter--one of the state-of-the-art approaches. On D2, it reaches 99.5% accuracy and 99.5% balanced accuracy, outperforming RAG-based approaches and fine-tuned single-agent baselines. McNemar's test confirmed these improvements as highly significant. The results demonstrate the feasibility of distributed LLM reasoning for malicious code detection and highlight the benefits of modular multi-agent designs in software supply chain security.