A new attack method has been discovered that abuses the “setup.py” file in Python modules to perform code execution when the package is installed. Attackers could use this method to insert malicious code inside the package that could be executed with root privileges. However not all of the packages require this level of permission. When Python modules are installed, usually it’s through a package manager called “pip.” This launches the setup.py file which is made available by the developer of the package for installation purposes. The file typically gets limited attention because it’s present only to help the user add modules to their machine. The good news is that people typically examine packages or modules thoroughly when the code is imported and run within a program, which makes it easier to detect malicious code. Researchers claim, “When you use an IDE and open a module function, it opens the file inside the Python directory. So one could see if there’s something wrong.” However, placing malicious code in setup.py, allows malware to be installed and remain undetected even if the package is not used. Users are advised to be cautious when installing Python modules.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased