When installing dependencies, Python package managers like pip will automatically execute build scripts distributed along with the source code. The most common build script is setup.py, which runs arbitrary Python code during installation. Build scripts are a common way to execute malicious code at install time whenever a package is compromised. The modern approach is to use pyproject.toml instead, which does not execute arbitrary code during installation.

Why is this an issue?

When package managers execute installation scripts, they run arbitrary code distributed with third-party packages. A compromised package can use this mechanism to execute malicious code on the build system, potentially stealing credentials, injecting backdoors, or otherwise compromising the supply chain.

What is the potential impact?

If a dependency is compromised and its scripts are executed, an attacker can run arbitrary code with the permissions of the process performing the installation. This can lead to credential theft from the build environment, introduction of backdoors into the application, or lateral movement within CI/CD infrastructure.

How to fix it in pip

Code examples

Noncompliant code example

pip install -r requirements.txt

Compliant solution

pip install --only-binary :all: -r requirements.txt

How to fix it in Poetry

Code examples

Noncompliant code example

poetry install

Compliant solution

POETRY_INSTALLER_ONLY_BINARY=:all: poetry install

How to fix it in uv

Code examples

Noncompliant code example

uv pip install -r requirements.txt  # Noncompliant

uv sync  # Noncompliant

uv run script.py  # Noncompliant

uv tool run pkg  # Noncompliant

Compliant solution

uv pip install --no-build -r requirements.txt

uv sync --no-build

uv run --no-build script.py

uv tool run --no-build pkg

Resources

Standards

• CWE - CWE-506 - Embedded Malicious Code
• CWE - CWE-829 - Inclusion of Functionality from Untrusted Control Sphere