[pypi] setup.py install based cmdclass not executed

[calebbrown]

exotel v0.1.6 downloads a malicious windows binary when setup.py is called with "install".

Unfortunately we didn't execute the malicious payload which would have called out to the domain "linkedopports[.]com" because it called the "bdist" step to create a wheel, and then installed the wheel:

Install succeeded:
Collecting exotel==0.1.6
  Downloading exotel-0.1.6.tar.gz (2.2 kB)
Building wheels for collected packages: exotel
  Building wheel for exotel (setup.py): started
  Building wheel for exotel (setup.py): finished with status 'done'
  Created wheel for exotel: filename=exotel-0.1.6-py3-none-any.whl size=1790 sha256=de7e1ccfae5d769d08346ca1091f41ff3cc753063a58240008ef9d94c0527c43
  Stored in directory: /root/.cache/pip/wheels/c6/1e/3e/71d3147d5a3a8d82f51ee372046a92751b1dfa20432f29c144
Successfully built exotel
Installing collected packages: exotel
Successfully installed exotel-0.1.6

The setup.py contained the following:

def send():
    # ... truncated ...
 
class PostInstallCommand(install):
    def run(self):
        install.run(self)
        send()

setup(
  name='exotel',
  version='0.1.6',
  description='exotel',
  python_requires=">=3.6",
  install_requires=[''],
  tests_require=[],
  cmdclass={'install': PostInstallCommand},
)

Refs: https://storage.googleapis.com/ossf-malware-analysis-results/pypi/exotel/0.1.6.json, https://osv.dev/vulnerability/GHSA-cv6j-9835-p7fh

[dukecat0]

I just had some tests, and setup.py install was run actually. Probably it's because the environment variable COMPUTERNAME doesn't exist, so the malicious payload is not executed. https://inspector.pypi.io/project/exotel/0.1.6/packages/8b/ed/9ebeb34d4adb9b01151d73ccfde9c1cb2d629c3b146953c8727559a65446/exotel-0.1.6.tar.gz/exotel-0.1.6/setup.py#line.9

Maybe related to #586.