Security News > 2022 > September > Warning: PyPI Feature Executes Code Automatically After Python Package Download

In another finding that could expose developers to increased risk of a supply chain attack, it has emerged that nearly one-third of the packages in PyPI, the Python Package Index, trigger automatic code execution upon downloading them.

"A worrying feature in pip/PyPI allows code to automatically run when developers are merely downloading a package," Checkmarx researcher Yehuda Gelb said in a technical report published this week.

In other words, the command can be used to download a Python package without having to install it on the system.

"Developers opting to download, instead of installing packages, are reasonably expecting that no code will run on the machine upon downloading the files," Gelb noted, characterizing it as a design issue rather than a bug.

Gz files, an attacker could take advantage of this behavior to intentionally publish python packages without a.whl file, leading to the execution of the malicious code present in the setup script.

"When a user downloads a python package from PyPi, pip will preferentially use the.whl file, but will fall back to the tar.gz file if the.whl file is lacking," Gelb said.

News URL

https://thehackernews.com/2022/09/warning-pypi-feature-executes-code.html