MAL-2026-10753
Malicious code in a3s-code (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6062cbfbdc0c31c48564e4ec850d2ce71996d6cf12373c775aed5560c88e5434) On first `import a3s_code`, top-level `__init__.py` invokes `_bootstrap.ensure_native_loaded()`, which performs an HTTP GET to `https://github.com/A3S-Lab/Code/releases/download/...`, writes `_native.<abi>.so|.pyd|.dylib` under `~/.cache/a3s-code/<version>/`, and loads it via `importlib.machinery.ExtensionFileLoader` — executing native code fetched at import time and bypassing pip build isolation. Package metadata (README.md, PKG-INFO, pyproject.toml `[project.urls]` Homepage) consistently declares the project as `github.com/AI45Lab/Code`, but the hard-coded fetch base URL in `_bootstrap.py` is `github.com/A3S-Lab/Code` — a visually similar but distinct GitHub organization. Hash verification is same-origin (manifest is served from the same base URL) and is silently skipped when the manifest fetch fails, providing no integrity guarantee against the fetched org. The bytes an installer actually executes come from an organization the documentation does not point to, so review of the documented repo does not correspond to what runs on the installer's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for a3s-code (pip). Pin to a known-safe version or switch to an alternative.
References
- https://pypi.org/project/a3s-code/5.2.8/ [PACKAGE]
- https://pypi.org/project/a3s-code/5.3.3/ [PACKAGE]