Merge pull request #256 from AikidoSec/feature/pipx-2

Add PIPX support

README.md

@@ -23,6 +23,7 @@ Aikido Safe Chain supports the following package managers:
 - 📦 **pip3**
 - 📦 **uv**
 - 📦 **poetry**
+- 📦 **pipx**
 
 # Usage
 
@@ -64,7 +65,7 @@ You can find all available versions on the [releases page](https://github.com/Ai
 
 1. **❗Restart your terminal** to start using the Aikido Safe Chain.
 
-   - This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm, pnpx, bun, bunx, and pip/pip3 are loaded correctly. If you do not restart your terminal, the aliases will not be available.
+   - This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm, pnpx, bun, bunx, pip, pip3, poetry, uv and pipx are loaded correctly. If you do not restart your terminal, the aliases will not be available.
 
 2. **Verify the installation** by running one of the following commands:
 
@@ -82,7 +83,7 @@ You can find all available versions on the [releases page](https://github.com/Ai
 
    - The output should show that Aikido Safe Chain is blocking the installation of these test packages as they are flagged as malware.
 
-When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `uv`, `pip`, `pip3` or `poetry` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.
+When running `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `poetry` and `pipx` commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. It also intercepts Python module invocations for pip when available (e.g., `python -m pip install ...`, `python3 -m pip download ...`). If any malware is detected, it will prompt you to exit the command.
 
 You can check the installed version by running:
 
@@ -94,17 +95,17 @@ safe-chain --version
 
 ### Malware Blocking
 
-The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, bun, bunx, uv, pip, pip3 or poetry commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
+The Aikido Safe Chain works by running a lightweight proxy server that intercepts package downloads from the npm registry and PyPI. When you run npm, npx, yarn, pnpm, pnpx, bun, bunx, pip, pip3, uv, poetry or pipx commands, all package downloads are routed through this local proxy, which verifies packages in real-time against **[Aikido Intel - Open Sources Threat Intelligence](https://intel.aikido.dev/?tab=malware)**. If malware is detected in any package (including deep dependencies), the proxy blocks the download before the malicious code reaches your machine.
 
 ### Minimum package age (npm only)
 
 For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours (by default) until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can configure this threshold or bypass this protection entirely - see the [Minimum Package Age Configuration](#minimum-package-age) section below.
 
-⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to Python package managers (uv, pip, pip3, poetry).
+⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to Python package managers (uv, pip, pip3, poetry, pipx).
 
 ### Shell Integration
 
-The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, bun, bunx, and Python package managers (uv, pip). It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:
+The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm, pnpx, bun, bunx, and Python package managers (pip, uv, poetry, pipx). It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which manage the proxy server before executing the original commands. We currently support:
 
 - ✅ **Bash**
 - ✅ **Zsh**

docs/shell-integration.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-The shell integration automatically wraps common package manager commands (`npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`) with Aikido's security scanning functionality. It also intercepts Python module invocations for pip when available: `python -m pip`, `python -m pip3`, `python3 -m pip`, `python3 -m pip3`. This is achieved by sourcing startup scripts that define shell functions to wrap these commands with their Aikido-protected equivalents.
+The shell integration automatically wraps common package manager commands (`npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `poetry`, `pipx`) with Aikido's security scanning functionality. It also intercepts Python module invocations for pip when available: `python -m pip`, `python -m pip3`, `python3 -m pip`, `python3 -m pip3`. This is achieved by sourcing startup scripts that define shell functions to wrap these commands with their Aikido-protected equivalents.
 
 ## Supported Shells
 
@@ -28,7 +28,7 @@ This command:
 
 - Copies necessary startup scripts to Safe Chain's installation directory (`~/.safe-chain/scripts`)
 - Detects all supported shells on your system
-- Sources each shell's startup file to add Safe Chain functions for `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, and `pip3`
+- Sources each shell's startup file to add Safe Chain functions for `npm`, `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `poetry` and `pipx`
 - Adds lightweight interceptors so `python -m pip[...]` and `python3 -m pip[...]` route through Safe Chain when invoked by name
 
 ❗ After running this command, **you must restart your terminal** for the changes to take effect. This ensures that the startup scripts are sourced correctly.
@@ -78,7 +78,7 @@ The system modifies the following files to source Safe Chain startup scripts:
 This means the shell functions are working but the Aikido commands aren't installed or available in your PATH:
 
 - Make sure Aikido Safe Chain is properly installed on your system
-- Verify the `aikido-npm`, `aikido-npx`, `aikido-yarn`, `aikido-pnpm`, `aikido-pnpx`, `aikido-bun`, `aikido-bunx`, `aikido-pip`, and `aikido-pip3` commands exist
+- Verify the `aikido-npm`, `aikido-npx`, `aikido-yarn`, `aikido-pnpm`, `aikido-pnpx`, `aikido-bun`, `aikido-bunx`, `aikido-pip`, `aikido-pip3`, `aikido-uv`, `aikido-poetry` and `aikido-pipx` commands exist
 - Check that these commands are in your system's PATH
 
 ### Manual Verification
@@ -121,7 +121,7 @@ npm() {
 }
 ```
 
-Repeat this pattern for `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, and `pip3` using their respective `aikido-*` commands. After adding these functions, restart your terminal to apply the changes.
+Repeat this pattern for `npx`, `yarn`, `pnpm`, `pnpx`, `bun`, `bunx`, `pip`, `pip3`, `uv`, `poetry` and `pipx` using their respective `aikido-*` commands. After adding these functions, restart your terminal to apply the changes.
 
 To intercept Python module invocations for pip without altering Python itself, you can add small forwarding functions:
 

package-lock.json

@@ -3131,6 +3131,7 @@
         "aikido-npx": "bin/aikido-npx.js",
         "aikido-pip": "bin/aikido-pip.js",
         "aikido-pip3": "bin/aikido-pip3.js",
+        "aikido-pipx": "bin/aikido-pipx.js",
         "aikido-pnpm": "bin/aikido-pnpm.js",
         "aikido-pnpx": "bin/aikido-pnpx.js",
         "aikido-poetry": "bin/aikido-poetry.js",

packages/safe-chain/bin/aikido-pipx.js

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+
+import { main } from "../src/main.js";
+import { initializePackageManager } from "../src/packagemanager/currentPackageManager.js";
+import { setEcoSystem, ECOSYSTEM_PY } from "../src/config/settings.js";
+
+// Set eco system
+setEcoSystem(ECOSYSTEM_PY);
+
+initializePackageManager("pipx");
+
+(async () => {
+  // Pass through only user-supplied pipx args
+  var exitCode = await main(process.argv.slice(2));
+  process.exit(exitCode);
+})();

packages/safe-chain/package.json

@@ -21,6 +21,7 @@
     "aikido-python": "bin/aikido-python.js",
     "aikido-python3": "bin/aikido-python3.js",
     "aikido-poetry": "bin/aikido-poetry.js",
+    "aikido-pipx": "bin/aikido-pipx.js",
     "safe-chain": "bin/safe-chain.js"
   },
   "type": "module",

packages/safe-chain/src/packagemanager/currentPackageManager.js

@@ -12,6 +12,7 @@ import { createYarnPackageManager } from "./yarn/createPackageManager.js";
 import { createPipPackageManager } from "./pip/createPackageManager.js";
 import { createUvPackageManager } from "./uv/createUvPackageManager.js";
 import { createPoetryPackageManager } from "./poetry/createPoetryPackageManager.js";
+import { createPipXPackageManager } from "./pipx/createPipXPackageManager.js";
 
 /**
  * @type {{packageManagerName: PackageManager | null}}
@@ -61,6 +62,8 @@ export function initializePackageManager(packageManagerName, context) {
     state.packageManagerName = createUvPackageManager();
   } else if (packageManagerName === "poetry") {
     state.packageManagerName = createPoetryPackageManager();
+  } else if (packageManagerName === "pipx") {
+    state.packageManagerName = createPipXPackageManager();
   } else {
     throw new Error("Unsupported package manager: " + packageManagerName);
   }

packages/safe-chain/src/packagemanager/pipx/createPipXPackageManager.js

@@ -0,0 +1,18 @@
+import { runPipX } from "./runPipXCommand.js";
+
+/**
+ * @returns {import("../currentPackageManager.js").PackageManager}
+ */
+export function createPipXPackageManager() {
+  return {
+    /**
+     * @param {string[]} args
+     */
+    runCommand: (args) => {
+      return runPipX("pipx", args);
+    },
+    // MITM only
+    isSupportedCommand: () => false,
+    getDependencyUpdatesForCommand: () => [],
+  };
+}

packages/safe-chain/src/packagemanager/pipx/createPipXPackageManager.spec.js

@@ -0,0 +1,14 @@
+import { test } from "node:test";
+import assert from "node:assert";
+import { createPipXPackageManager } from "./createPipXPackageManager.js";
+
+test("createPipXPackageManager", async (t) => {
+  await t.test("should create package manager with required interface", () => {
+    const pm = createPipXPackageManager();
+
+    assert.ok(pm);
+    assert.strictEqual(typeof pm.runCommand, "function");
+    assert.strictEqual(typeof pm.isSupportedCommand, "function");
+    assert.strictEqual(typeof pm.getDependencyUpdatesForCommand, "function");
+  });
+});

packages/safe-chain/src/packagemanager/pipx/runPipXCommand.js

@@ -0,0 +1,65 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+
+/**
+ * Sets CA bundle environment variables used by Python libraries and pipx.
+ * 
+ * @param {NodeJS.ProcessEnv} env - Env object
+ * @param {string} combinedCaPath - Path to the combined CA bundle
+ * @return {NodeJS.ProcessEnv} Modified environment object
+ */
+function getPipXCaBundleEnvironmentVariables(env, combinedCaPath) {
+  let retVal = { ...env };
+
+  if (env.SSL_CERT_FILE) {
+    ui.writeWarning("Safe-chain: User defined SSL_CERT_FILE found in environment. It will be overwritten.");
+  }
+  retVal.SSL_CERT_FILE = combinedCaPath;
+
+  if (env.REQUESTS_CA_BUNDLE) {
+    ui.writeWarning("Safe-chain: User defined REQUESTS_CA_BUNDLE found in environment. It will be overwritten.");
+  }
+  retVal.REQUESTS_CA_BUNDLE = combinedCaPath;
+
+  if (env.PIP_CERT) {
+    ui.writeWarning("Safe-chain: User defined PIP_CERT found in environment. It will be overwritten.");
+  }
+  retVal.PIP_CERT = combinedCaPath;
+  return retVal;
+}
+
+/**
+ * Runs a pipx command with safe-chain's certificate bundle and proxy configuration.
+ * 
+ * @param {string} command - The command to execute
+ * @param {string[]} args - Command line arguments
+ * @returns {Promise<{status: number}>} Exit status of the command
+ */
+export async function runPipX(command, args) {
+  try {
+    const env = mergeSafeChainProxyEnvironmentVariables(process.env);
+
+    const combinedCaPath = getCombinedCaBundlePath();
+    const modifiedEnv = getPipXCaBundleEnvironmentVariables(env, combinedCaPath);
+
+    // Note: pipx uses HTTPS_PROXY and HTTP_PROXY environment variables for proxy configuration
+    // These are already set by mergeSafeChainProxyEnvironmentVariables
+
+    const result = await safeSpawn(command, args, {
+      stdio: "inherit",
+      env: modifiedEnv,
+    });
+
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError(`Error executing command: ${error.message}`);
+      ui.writeError(`Is '${command}' installed and available on your system?`);
+      return { status: 1 };
+    }
+  }
+}

packages/safe-chain/src/packagemanager/pipx/runPipXCommand.spec.js

@@ -0,0 +1,80 @@
+import { describe, it, beforeEach, afterEach, mock } from "node:test";
+import assert from "node:assert";
+
+describe("runPipXCommand", () => {
+  let runPipX;
+  let safeSpawnMock;
+  let warnMock;
+  let errorMock;
+  let mergeCalls;
+  let mergedEnvReturn;
+
+  beforeEach(async () => {
+    mergeCalls = [];
+    mergedEnvReturn = {
+      HTTPS_PROXY: "http://localhost:8080",
+      HTTP_PROXY: "",
+    };
+
+    safeSpawnMock = mock.fn(async () => ({ status: 0 }));
+    warnMock = mock.fn();
+    errorMock = mock.fn();
+
+    mock.module("../../environment/userInteraction.js", {
+      namedExports: {
+        ui: {
+          writeWarning: warnMock,
+          writeError: errorMock,
+          writeInfo: () => {},
+          writeVerbose: () => {},
+          writeSuccess: () => {},
+        },
+      },
+    });
+
+    mock.module("../../registryProxy/registryProxy.js", {
+      namedExports: {
+        mergeSafeChainProxyEnvironmentVariables: (env) => {
+          mergeCalls.push(env);
+          return { ...env, ...mergedEnvReturn };
+        },
+      },
+    });
+
+    mock.module("../../registryProxy/certBundle.js", {
+      namedExports: {
+        getCombinedCaBundlePath: () => "/tmp/test-combined-ca.pem",
+      },
+    });
+
+    mock.module("../../utils/safeSpawn.js", {
+      namedExports: {
+        safeSpawn: safeSpawnMock,
+      },
+    });
+
+    const mod = await import("./runPipXCommand.js");
+    runPipX = mod.runPipX;
+  });
+
+  afterEach(() => {
+    mock.reset();
+  });
+
+  it("sets CA env vars and proxies before spawning", async () => {
+    const res = await runPipX("pipx", ["install", "ruff"]);
+
+    assert.strictEqual(res.status, 0);
+    assert.strictEqual(safeSpawnMock.mock.calls.length, 1, "safeSpawn should be called once");
+
+    const [, , options] = safeSpawnMock.mock.calls[0].arguments;
+    const env = options.env;
+
+    assert.strictEqual(env.SSL_CERT_FILE, "/tmp/test-combined-ca.pem");
+    assert.strictEqual(env.REQUESTS_CA_BUNDLE, "/tmp/test-combined-ca.pem");
+    assert.strictEqual(env.PIP_CERT, "/tmp/test-combined-ca.pem");
+    assert.strictEqual(env.HTTPS_PROXY, "http://localhost:8080");
+    assert.strictEqual(env.HTTP_PROXY, "");
+    assert.ok(mergeCalls.length >= 1, "proxy merge should be invoked");
+  });
+});

packages/safe-chain/src/shell-integration/helpers.js

@@ -94,6 +94,12 @@ export const knownAikidoTools = [
     ecoSystem: ECOSYSTEM_PY,
     internalPackageManagerName: "pip",
   },
+  {
+    tool: "pipx",
+    aikidoCommand: "aikido-pipx",
+    ecoSystem: ECOSYSTEM_PY,
+    internalPackageManagerName: "pipx",
+  }
   // When adding a new tool here, also update the documentation for the new tool in the README.md
 ];
 

packages/safe-chain/src/shell-integration/startup-scripts/init-fish.fish

@@ -39,7 +39,6 @@ function npm
     wrapSafeChainCommand "npm" $argv
 end
 
-
 function pip
     wrapSafeChainCommand "pip" $argv
 end
@@ -66,6 +65,10 @@ function python3
     wrapSafeChainCommand "python3" $argv
 end
 
+function pipx
+    wrapSafeChainCommand "pipx" $argv
+end
+
 function printSafeChainWarning
     set original_cmd $argv[1]
     

packages/safe-chain/src/shell-integration/startup-scripts/init-posix.sh

@@ -35,7 +35,6 @@ function npm() {
   wrapSafeChainCommand "npm" "$@"
 }
 
-
 function pip() {
   wrapSafeChainCommand "pip" "$@"
 }
@@ -62,6 +61,10 @@ function python3() {
   wrapSafeChainCommand "python3" "$@"
 }
 
+function pipx() {
+  wrapSafeChainCommand "pipx" "$@"
+}
+
 function printSafeChainWarning() {
   # \033[43;30m is used to set the background color to yellow and text color to black
   # \033[0m is used to reset the text formatting

packages/safe-chain/src/shell-integration/startup-scripts/init-pwsh.ps1

@@ -66,6 +66,9 @@ function python3 {
     Invoke-WrappedCommand 'python3' $args
 }
 
+function pipx {
+    Invoke-WrappedCommand "pipx" $args
+}
 
 function Write-SafeChainWarning {
     param([string]$Command)

test/e2e/pipx.e2e.spec.js

@@ -0,0 +1,200 @@
+import { describe, it, before, beforeEach, afterEach } from "node:test";
+import { DockerTestContainer } from "./DockerTestContainer.js";
+import assert from "node:assert";
+
+describe("E2E: pipx coverage", () => {
+  let container;
+
+  before(async () => {
+    DockerTestContainer.buildImage();
+  });
+
+  beforeEach(async () => {
+    container = new DockerTestContainer();
+    await container.start();
+
+    const installationShell = await container.openShell("zsh");
+    await installationShell.runCommand("safe-chain setup");
+  });
+
+  afterEach(async () => {
+    if (container) {
+      await container.stop();
+      container = null;
+    }
+  });
+
+  it(`successfully installs known safe packages with pipx install`, async () => {
+    const shell = await container.openShell("zsh");
+
+    const result = await shell.runCommand(
+      "pipx install ruff --safe-chain-logging=verbose"
+    );
+
+    assert.ok(
+      result.output.includes("no malware found.") || result.output.includes("installed successfully"),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+  });
+
+  it(`safe-chain blocks installation of malicious Python packages via pipx`, async () => {
+    const shell = await container.openShell("zsh");
+
+    const result = await shell.runCommand(
+      "pipx install safe-chain-pi-test"
+    );
+
+    assert.ok(
+      result.output.includes("blocked by safe-chain"),
+      `Expected malware to be blocked. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("Exiting without installing malicious packages."),
+      `Expected exit message. Output was:\n${result.output}`
+    );
+  });
+
+  it(`pipx upgrade upgrades installed packages`, async () => {
+    const shell = await container.openShell("zsh");
+
+    await shell.runCommand("pipx install ruff==0.1.0");
+
+    const result = await shell.runCommand(
+      "pipx upgrade ruff"
+    );
+
+    assert.ok(
+      result.output.includes("no malware found.") || result.output.includes("Upgraded") || result.output.includes("upgraded"),
+      `Output did not include expected text. Output was:\n${result.output}`
+    );
+  });
+
+  it(`pipx run downloads and executes a safe tool`, async () => {
+    const shell = await container.openShell("zsh");
+
+    const result = await shell.runCommand(
+      "pipx run ruff --version"
+    );
+
+    assert.ok(
+      result.output.includes("no malware found.") || /ruff/i.test(result.output),
+      `Expected safe run to succeed. Output was:\n${result.output}`
+    );
+  });
+
+  it(`pipx run blocks malicious tool download`, async () => {
+    const shell = await container.openShell("zsh");
+
+    const result = await shell.runCommand(
+      "pipx run safe-chain-pi-test --version"
+    );
+
+    assert.ok(
+      result.output.includes("blocked by safe-chain"),
+      `Expected malicious run to be blocked. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("Exiting without installing malicious packages."),
+      `Expected exit message. Output was:\n${result.output}`
+    );
+  });
+
+  it(`pipx runpip installs safe dependency inside an app venv`, async () => {
+    const shell = await container.openShell("zsh");
+
+    // Prepare an app environment
+    await shell.runCommand("pipx install ruff");
+
+    const result = await shell.runCommand(
+      "pipx runpip ruff install requests==2.32.3"
+    );
+
+    assert.ok(
+      result.output.includes("no malware found.") || /Successfully installed/i.test(result.output) || /requests/i.test(result.output),
+      `Expected safe dependency install inside app venv. Output was:\n${result.output}`
+    );
+  });
+
+  it(`pipx runpip blocks malicious dependency install`, async () => {
+    const shell = await container.openShell("zsh");
+
+    // Prepare an app environment
+    await shell.runCommand("pipx install ruff");
+
+    const result = await shell.runCommand(
+      "pipx runpip ruff install safe-chain-pi-test"
+    );
+
+    assert.ok(
+      result.output.includes("blocked by safe-chain"),
+      `Expected malicious dependency to be blocked. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("Exiting without installing malicious packages."),
+      `Expected exit message. Output was:\n${result.output}`
+    );
+  });
+
+  it(`pipx list shows installed packages`, async () => {
+    const shell = await container.openShell("zsh");
+
+    await shell.runCommand("pipx install ruff");
+
+    const result = await shell.runCommand(
+      "pipx list"
+    );
+
+    assert.ok(
+      result.output.includes("ruff"),
+      `Expected ruff in list output. Output was:\n${result.output}`
+    );
+  });
+
+  it(`pipx uninstall removes packages`, async () => {
+    const shell = await container.openShell("zsh");
+
+    await shell.runCommand("pipx install ruff --safe-chain-logging=verbose");
+    await shell.runCommand("pipx uninstall ruff --safe-chain-logging=verbose");
+
+    const result = await shell.runCommand(
+      "pipx list"
+    );
+
+    assert.ok(
+      !result.output.includes("ruff"),
+      `Expected ruff to be removed from list. Output was:\n${result.output}`
+    );
+  });
+
+  it('pipx inject installs safe packages into existing venvs', async () => {
+    const shell = await container.openShell("zsh");
+
+    await shell.runCommand("pipx install ruff --safe-chain-logging=verbose");
+    const result = await shell.runCommand(
+      "pipx inject ruff requests==2.32.3 --safe-chain-logging=verbose"
+    );
+
+    assert.ok(
+      result.output.includes("no malware found.") || /Successfully installed/i.test(result.output) || /requests/i.test(result.output),
+      `Expected safe package to be injected. Output was:\n${result.output}`
+    );
+  });
+
+  it('pipx inject blocks malicious packages from being installed into existing venvs', async () => {
+    const shell = await container.openShell("zsh");
+
+    await shell.runCommand("pipx install ruff --safe-chain-logging=verbose");
+    const result = await shell.runCommand(
+      "pipx inject ruff safe-chain-pi-test --safe-chain-logging=verbose"
+    );
+
+    assert.ok(
+      result.output.includes("blocked by safe-chain"),
+      `Expected malicious package to be blocked. Output was:\n${result.output}`
+    );
+    assert.ok(
+      result.output.includes("Exiting without installing malicious packages."),
+      `Expected exit message. Output was:\n${result.output}`
+    );
+  });
+});