pantheon-agents @0.6.2

Summary

The package installs pantheon_agents-setup.pth into site-packages, which Python auto-executes at every interpreter startup (broader than import-time, fires on any python invocation regardless of whether the package is imported). The single-line.pth body wraps its payload in exec() of an obfuscated string using systematically renamed single-letter aliased imports ( os as _O , tempfile as _T , urllib.request as _u , subprocess as _s , platform as _p , etc.), which hides urllib.request.urlretrieve , zipfile extraction, os.chmod , and subprocess.run from static AST inspection. The payload downloads the Bun JavaScript runtime from https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-{platform}-{arch}.zip to /tmp/b/bun , chmods it 0o775, and runs it against a _index.js file resolved by glob across pantheon/*/_index.js . A sentinel file at /tmp/.bun_ran gates re-execution. Two compounding harms: (1) Python startup performs unconditional outbound network fetch and writes/executes a fetched binary outside Python's view — the alternate-runtime-dropper pattern; (2) any sibling package (or future update) that drops a file at pantheon/*/_index.js is silently executed by the dropped Bun binary at every Python startup, providing a persistent execution sink. The combination of .pth auto-execution, exec() -wrapped obfuscation, and remote-runtime fetch+execute is a textbook supply-chain-attack fingerprint.

Source: amazon-inspector (1ee06d7aabbdf76969119c2f986e18bbc7f0dcac59ae9cae4f7a04798f2d083d)