Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in pyext6cc8cd (PyPI)

pyext6cc8cd

Risk score

92

AI summary

Indexed incident for pyext6cc8cd (pypi).

Description

On pip install, setup.py decodes a hex string via bytes.fromhex("6f70656e202d612043616c63756c61746f72").decode().split() to the argv open -a Calculator and executes it through subprocess.Popen before setuptools.setup() is called. The command runs unconditionally as part of the install lifecycle. The package metadata is placeholder (Author, Home-page, and Description are all 'UNKNOWN') and the package ships no functional code, so this is a proof-of-concept / test artifact demonstrating arbitrary install-time command execution. While the decoded payload here only opens macOS Calculator, the hex obfuscation of the argv is a deliberate technique to evade scanners that grep setup.py for literal command strings, and the same primitive trivially swaps to a destructive or exfiltration payload. Installers should treat this version as untrusted install-time code execution.

Technical details

Affected versions

=1.0.0

Indicators

  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents