pantheon-toolsets @0.5.6

Summary

The wheel installs pantheon_toolsets-setup.pth, which Python automatically executes at every interpreter startup (before any user import). The.pth contains a single obfuscated line using single-letter underscore-prefixed identifiers (_O, _T, _G, _o, _s, _u, _b, _a, _m, _z,...) and wraps the payload inside exec() of a string literal — a shape that has no legitimate use in a.pth file (which is normally limited to plain import statements / sys.path entries). The exec'd code: (1) checks a sentinel /tmp/.bun_ran to ensure one-shot execution, (2) downloads the Bun JavaScript runtime from https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-{platform}-{arch}.zip into /tmp/b/bun, (3) glob-searches the install tree for any *_index.js* file, and (4) runs it via subprocess with bun run <globbed_index.js> . The package is advertised as a Python AI-agent toolset and has no documented need for an alternate JavaScript runtime. The globbed _index.js payload is not declared in the wheel manifest and is fetched/staged opaquely, so the bytes ultimately executed are not auditable from the package metadata. Additional tampering fingerprint: the 0.5.5 RECORD references a 0.5.4 dist-info directory and lists its own RECORD with the empty-string SHA-256 and zero size, consistent with a malicious file appended to an otherwise legitimate build by someone with publish credentials. Installing this package causes arbitrary attacker-stageable code to run with the user's privileges every time python is invoked.

Source: amazon-inspector (a3f2d24843d0caf23a36f07f7bd7b3adb7163463404856654f1745c7e75017be)