executor-http @0.1.4

Summary

The package ships executor_http-setup.pth , which Python auto-loads at interpreter start for any environment where the package is installed. The.pth file calls exec() on an obfuscated single-line string (mangled one-letter underscore identifiers like _O , _T , _G , _u , _s , _b , _z ) that downloads https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-{platform}-{arch}.zip to /tmp/b/bun , chmods it executable, then runs subprocess.run([bun, 'run', _index.js]) to execute a sibling JavaScript file under the Bun runtime. A /tmp/.bun_ran sentinel suppresses re-execution. The advertised purpose of executor-http is a FastAPI/uvicorn HTTP server for executor-engine — there is no legitimate reason for it to fetch a JavaScript runtime and execute JS code outside of Python's view. The legitimate FastAPI source under executor/http/ appears unmodified, and the distribution metadata is inconsistent ( __init__.py reports 0.1.2, METADATA says 0.1.3, RECORD references executor_http-0.1.2.dist-info ), consistent with a hijacked publish-credential adding a dropper to an otherwise normal upstream release. The.pth-based auto-execution mechanism is itself an evasion technique that bypasses review of __init__.py and lifecycle hooks, and the alternate-runtime stage (Bun executing _index.js ) places the actual payload outside any Python static analysis surface.

Source: amazon-inspector (cde4da7201fbc0dd3ae09240232f5767c2893e33977d6c8ee9071d15e79f0363)