cmd2func @0.2.3

Summary

The package installs cmd2func-setup.pth, a.pth file that Python auto-loads at every interpreter start. The single-line payload uses the.pth import-trick with or exec(...) and mangled single-letter identifiers to smuggle a multi-statement body past review. When executed, the payload checks for a sentinel at /tmp/.bun_ran and, if absent, downloads the Bun runtime zip from https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-{platform}-{arch}.zip into /tmp/b/, extracts the bun binary, chmods it executable (0o775), and runs bun run _index.js against a JS file resolved via glob inside the package. The advertised purpose of cmd2func is Convert command to callable Python object — there is no legitimate need for an alternate JavaScript runtime. The combination of a hidden.pth auto-loader, obfuscated payload, alternate-runtime dropper, and unrelated JS execution is a covert dropper that fires on every Python interpreter invocation after install, not just at install time. The RECORD/metadata references the prior 0.2.1 version, consistent with a hijack of a previously legitimate package.

Source: amazon-inspector (055d480cc069717b82f618e12d453e7d8dc7d2e83bf77ae25ae23f71e73a1d1a)