In another finding that could expose developers to increased risk of a supply chain attack, it has emerged that nearly one-third of the packages in PyPI, the Python Package Index, trigger automatic code execution upon downloading them.
One of the ways by which packages can be installed for Python is by executing the “pip install” command, which, in turn, invokes a file called “setup.py” that comes bundled along with the module.
While threat actors have resorted to incorporating malicious code in the setup.py file, Checkmarx found that adversaries could achieve the same goals by alternatively running what’s called a “pip download” command.
Although pip defaults to using wheels instead of tar.gz files, an attacker could take advantage of this behavior to intentionally publish python packages without a .whl file, leading to the execution of the malicious code present in the setup script.
The findings come as the U.S. National Security Agency (NSA), along with the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI), released guidance for securing the software supply chain.