OSV ID
MAL-2026-5284
Ecosystem
pypi
Summary
The package installs synago-setup.pth, which Python auto-executes on every interpreter startup (not only on import synago ). The.pth contains an obfuscated single-line exec() string with single-letter import aliases ( _o , _s , _u , _p , _y , _b , _j , _z , _zf ) gated by a /tmp/.bun_ran sentinel so it runs only once per machine. On first run it fetches https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-{os}-{arch}.zip via urllib, unzips it to /tmp/b/bun , chmods the binary executable (mode 509 / 0o775), deletes the zip, and invokes subprocess.run([bun, 'run', _index.js]) against a JavaScript file shipped in the package. The package advertises itself as an LLM agent framework — there is no legitimate reason for it to install a .pth hook, fetch an alternate language runtime, stage it under /tmp , and execute bundled JavaScript at every Python invocation. The combination of .pth auto-execution (a vector that bypasses normal import sandboxes), obfuscated exec() of a quoted string, sentinel-based once-per-host gating to evade re-detonation, and an out-of-band runtime executing code that Python-only scanners will not inspect is the alternate-runtime dropper pattern. Installing this package causes arbitrary attacker-controlled JavaScript to execute on the installer's machine on every subsequent Python startup.
Source: amazon-inspector (a3e1bae7957cb735edd8424c1d2efe54b597c3a484ba77c9239e9ff8ec06327f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.