PyPI Suspicious Scripts
ID |
suspicious_scripts_pip |
Severity |
low |
Family |
Suspicious Scripts |
Description
In Python packages you can execute scripts in installation step:
setup.py
setup(
# other arguments here...
entry_points={
"setuptools.installation": [
"eggsecutable = my_package.some_module:main_func",
]
}
)
or
pyproject.toml [tool.poetry.scripts] my-script = "my_package_name:py_file:function_name
This detector finds changes in the scripts' section between current version and previous version to review.
Security
If there is a change between current and previous version in the scripts, that could be a hint that malicious code may be run by the installation process.
Examples
setup.py
setup(
# other arguments here...
entry_points={
"setuptools.installation": [
"eggsecutable = my_package.some_module:main_func",
]
}
)
Mitigation / Fix
Check the change between versions and if it is unintended code then remove this dependency immediately. On the other hand, if it is benign code needed for installation, add a mute for this issue.
Please note that malicious agents take effort to hide malware from code reviews, and use obfuscation techniques that should quickly raise alarms. Decryption, downloads from remote sites, usage of unintended binary files and the like are some of these techniques.