September 22, 2023

Researchers have discovered a novel attack that used compiled Python byte code  was identified as potentially the first supply chain attack in which bad actors executed PYC files to avoid detection and load malware.

Researchers said this discovery comes amid a spike in malicious submissions to the Python Package Index, normally referred to as PyPI. The  researchers said the ability to execute PYC files poses yet another supply chain risk because most security tools only scan for Python source code files (PY) and would miss this type of attack.

The discovered malicious package named fshec2 to the PyPI security team on April 17 and it was removed from the PyPI repository the same day. The researchers said the PyPI security team has also acknowledged this type of attack as interesting and the PyPI team agreed that it had not been previously seen.


The malicious code was uncovered via dynamic analysis and they were able to detect it because of the misconfigurations and poor C2 infrastructure setup of the malware writers, Threat actors are always trying novel ways to get malicious code on machines anyway possible. He said this obfuscation technique allows the compile code to get past security scanners.

The challenges associated with scanning byte code have been known for some time and similar problems can exist with .net byte code and java, further showing us the many challenges of managing software supply chains.

This research was documented by researchers from Reversing Labs

Indicators Of Compromise

  • 7be50d49efd1e8199decf84dc4623f58b8686161
  • bab57a9aac8e138e4e2a9f8079fd50b7c1d31540

1 thought on “Byte Code Bites PYPI

Leave a Reply

%d bloggers like this: