Warning PyPI Feature Executes Code Automatically After Python Package Download


It has been discovered that about one-third of the packages in PyPI are open source, which is another discovery that might put developers at heightened danger of a supply chain attack.

Checkmarx researcher Yehuda Gelb wrote in a technical report released this week: “A troubling feature in pip/PyPI allows code to automatically run when developers are only downloading a package.” “setup.py” is a setup script that is used to establish package-related metadata, including its dependencies, as its name suggests. Read More…