Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety.
Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect.
insecure-package, and this package with pip in the same python environment. Order doesn't matter.
Run the check
You should see both
Running my modified safety.check and that
insecure-package is not listed in the results!
Everything in Python is mutable. The trick is getting some code to run at interpreter load time in order to do some patching.
setup.pysettings installs a
malicious.pthfile to your
malicious.pthfile gets loaded anytime Python starts, which in turn imports our
malicious/__init__.pypatches the safety library with a custom function to avoid detection.