pypi

a3s-code @5.3.3

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10753

Ecosystem

pypi

Summary

On first import a3s_code , top-level __init__.py invokes _bootstrap.ensure_native_loaded() , which performs an HTTP GET to https://github.com/A3S-Lab/Code/releases/download/... , writes _native.<abi>.so|.pyd|.dylib under ~/.cache/a3s-code/<version>/ , and loads it via importlib.machinery.ExtensionFileLoader — executing native code fetched at import time and bypassing pip build isolation. Package metadata (README.md, PKG-INFO, pyproject.toml [project.urls] Homepage) consistently declares the project as github.com/AI45Lab/Code , but the hard-coded fetch base URL in _bootstrap.py is github.com/A3S-Lab/Code — a visually similar but distinct GitHub organization. Hash verification is same-origin (manifest is served from the same base URL) and is silently skipped when the manifest fetch fails, providing no integrity guarantee against the fetched org. The bytes an installer actually executes come from an organization the documentation does not point to, so review of the documented repo does not correspond to what runs on the installer's machine.

Source: amazon-inspector (6062cbfbdc0c31c48564e4ec850d2ce71996d6cf12373c775aed5560c88e5434)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.