Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Doesn't installing a python package from PyPI (optionally) run some of the code in the package? Like "setup.py" ? I'd take advantage of that if I were injecting malicious code in a module.


Yep. In fact, I recently had to deal with this monstrosity https://pypi.org/project/awslambdaric whose setup.py invokes a shell script https://github.com/aws/aws-lambda-python-runtime-interface-c...

That shell script runs 'make && make install' on a couple of bundled dependencies, but in principle it could do anything https://github.com/aws/aws-lambda-python-runtime-interface-c...


For what it's worth, npm supports an option "ignore-scripts" for both "npm install" and "npm ci" (the latter of which ensures the installed packages match the integrity hashes from the package-lock.json file).

https://docs.npmjs.com/cli/v7/commands/npm-install/#ignore-s...

https://docs.npmjs.com/cli/v7/commands/npm-ci/#ignore-script...


Downloading a Python package (as done by scrapers, mirrors and security analysts) does not run setup.py. Only if the module is installed is this run.

It's analagous to downloading vs. running an executable.


Doing a pip install actually runs the setup.py of the package for source dist, which means running an executable.

It's not the case for wheels though, so you can protect yourself by restricting to binary : --only-binary.

Also doing a pip download is not sensible to this issue, but most people do pip install


Ah, sure. Just making the distinction that you don't have to actually use a module within your code. That installing the module, even if you never use it in your own code, runs some of the code in that module.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: