When installing dependencies, Python package managers like pip will automatically execute build scripts distributed along with the
source code. The most common build script is setup.py, which runs arbitrary Python code during installation. Build scripts are a common
way to execute malicious code at install time whenever a package is compromised. The modern approach is to use pyproject.toml
instead, which does not execute arbitrary code during installation.
When package managers execute installation scripts, they run arbitrary code distributed with third-party packages. A compromised package can use this mechanism to execute malicious code on the build system, potentially stealing credentials, injecting backdoors, or otherwise compromising the supply chain.
If a dependency is compromised and its scripts are executed, an attacker can run arbitrary code with the permissions of the process performing the installation. This can lead to credential theft from the build environment, introduction of backdoors into the application, or lateral movement within CI/CD infrastructure.
steps: - bash: pip install -r requirements.txt # Noncompliant
steps: - bash: pip install --only-binary :all: -r requirements.txt
steps: - bash: poetry install # Noncompliant
steps: - bash: POETRY_INSTALLER_ONLY_BINARY=:all: poetry install
steps: - bash: uv pip install -r requirements.txt # Noncompliant
steps: - bash: uv sync # Noncompliant
steps: - bash: uv run script.py # Noncompliant
steps: - bash: uv tool run pkg # Noncompliant
steps: - bash: uv pip install --no-build -r requirements.txt
steps: - bash: uv sync --no-build
steps: - bash: uv run --no-build script.py
steps: - bash: uv tool run --no-build pkg