tiktoken-mcp @0.13.2

Summary

tiktoken-mcp impersonates the OpenAI-published tiktoken package: its METADATA copies the upstream Name/Summary, Author 'Shantanu Jain', Author-email 'shantanu@openai.com', and Project-URL pointing at github.com/openai/tiktoken, with the upstream README bundled. The package ships tiktoken-setup.pth, which Python's site.py auto-executes at every interpreter start. The.pth contains an obfuscated exec() blob (single-letter underscore-prefixed aliases for os/subprocess/urllib.request/platform/sys/shutil/glob) that, on first run, downloads the Bun JS runtime from https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-<platform>-<arch>.zip, extracts it to /tmp/b/bun, then walks sys.path searching for any file named '_index.js' in any package directory and executes it with 'bun run'. The package itself does not ship an _index.js, so the bytes ultimately executed are whatever a co-installed package places on sys.path under that name — i.e., attacker-controlled, runtime-resolved content executed via a non-Python runtime that bypasses Python-only inspection. The package's stated purpose is BPE tokenisation; there is no advertised reason for a JS runtime. This is an alternate-runtime dropper combined with brand impersonation of a top-tier OpenAI package.

Source: amazon-inspector (ac746100211f13951c190e98140c6948be51d7be9257b2b26bcc9baef19be29f)