MAL-2026-6488

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f98319eaa02d50e8a098d9cfaaca054df5acc8238dd08b2e24899f700e029a07) On `pip install`, setup.py decodes a hex string via `bytes.fromhex("6f70656e202d612043616c63756c61746f72").decode().split()` to the argv `open -a Calculator` and executes it through `subprocess.Popen` before `setuptools.setup()` is called. The command runs unconditionally as part of the install lifecycle. The package metadata is placeholder (Author, Home-page, and Description are all 'UNKNOWN') and the package ships no functional code, so this is a proof-of-concept / test artifact demonstrating arbitrary install-time command execution. While the decoded payload here only opens macOS Calculator, the hex obfuscation of the argv is a deliberate technique to evade scanners that grep setup.py for literal command strings, and the same primitive trivially swaps to a destructive or exfiltration payload. Installers should treat this version as untrusted install-time code execution.