MAL-2026-4770

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bb61035c28fe642903fac1b2776b2593c1611831ce5553e63ef8b09a77e414c9) The package installs a `suspicious-demo.pth` file into site-packages via setup.py's `data_files=[("", ["suspicious-demo.pth"])]`. Python auto-processes.pth files at every interpreter startup, and this one contains `import spip_pth_demo_marker`, whose module body is `import os; os.system("calc.exe")`. The result: every invocation of `python` on a host that has installed this package executes an OS command via the shell, with no user action required beyond installation. The README explicitly states the marker module 'only writes a benign marker line to stderr' and 'does not launch processes or run OS commands' — the shipped code directly contradicts this. While the specific argv (`calc.exe`) is innocuous on Windows and a no-op elsewhere, the mechanism is a fully functional persistent code-execution surface in the installer's Python environment; substituting any other command turns this into arbitrary RCE on every Python launch..pth-based execution is particularly dangerous because it bypasses install-phase analysis and fires on every subsequent interpreter start, including in unrelated projects sharing the same environment.