Author: Florence Nightingale
Compiled by: Code Guardian
Column: Supply Chain Security
In the digital age, software is ubiquitous. Software acts as a “virtual person” in society and has become one of the fundamental elements supporting the normal operation of society. The security of software is becoming a fundamental and foundational issue in today’s society.
With the rapid development of the software industry, the software supply chain has become increasingly complex and diverse. A complex software supply chain introduces a series of security issues, making the overall security protection of information systems increasingly difficult. In recent years, security attacks targeting the software supply chain have been on the rise, causing increasingly severe damage.
To address this, we have launched the “Supply Chain Security” column. This column gathers information on supply chain security, analyzes supply chain security risks, and provides mitigation suggestions to safeguard supply chain security.
Note: For previously published content related to supply chain security, please see the “Recommended Reading” section at the end.
Threat actors are exploiting a complex obfuscation technique to bypass detection systems and use Python’s eval() and exec() functions to execute malicious code.
In the past five years, there have been over 100 supply chain attack incidents targeting PyPI, posing serious risks to organizations relying on Python packages. The increasing number of threats has led to the development of advanced static analysis tools like Hexora, which detect obfuscated malicious code that traditional regex-based tools often fail to identify. Unlike simple pattern matching, these attacks leverage Python’s dynamic nature to execute arbitrary code while evading traditional security measures.
Advanced Obfuscation Techniques
Artem Golubin mentioned that basic malicious code injection utilizes complex evasion methods. The most rudimentary method involves direct function calls:

However, experienced threat actors will use obfuscable homographs to bypass regex-based detection systems:

This technique uses Unicode characters that appear similar to standard ASCII characters, making it more challenging for security tools that rely on simple string matching. More advanced attackers utilize this built-in module to obfuscate malicious intent: 
The __import__ function provides another evasion vector, allowing attackers to bypass traditional import statements while maintaining functionality:

Threat actors often use string concatenation and reversal to obfuscate function names and module references. Optional module access methods include using sys.modules, globals(), and locals(). The compile() function provides another attack vector, allowing code execution without direct eval() or exec() calls: 
Payloads delivered through these methods typically utilize multiple layers of encoding, including base64, hexadecimal, rot13, marshal, and zlib compression to further obfuscate malicious intent. This multi-layered approach makes static analysis extremely challenging and often requires dynamic analysis or sandboxing techniques. Security professionals recommend implementing a comprehensive detection strategy that combines static analysis, dynamic analysis, machine learning patterns, and human oversight to identify such complex attacks before they can compromise production environments.
Open SourceGuardian trial address:https://sast.qianxin.com/#/loginCode Guardian trial address:https://codesafe.qianxin.comRecommended Reading
PyPI Intercepts 1800 Expired Domain Emails, Defending Against Supply Chain Attacks
Malicious Packages on PyPI Exploit Dependencies to Launch Software Supply Chain Attacks
Hackers Use Fake PyPI Sites for Phishing Attacks on Python Developers
Over 700 Malicious Misplaced Domain Libraries Target RubyGems Repository
NPM “Accidentally” Deletes Legitimate Stylus Package, Disrupting Global Pipelines and Builds
Firmware Development and Update Flaws Lead to Vulnerabilities That Are Hard to Fix for Years, Deeply Affecting Supply Chain Security
NPM Repository Infected with 67 Malicious Packages Spreading Malware
Online Reading Version: Full Text of “2025 China Software Supply Chain Security Analysis Report”
NPM Software Supply Chain Attacks Spread Malware
Covert NPM Supply Chain Attacks: Misplaced Domains Lead to RCE and Data Destruction
NPM Malicious Packages Use Unicode Steganography to Evade Detection
Aikido Discovers Malicious Code in Popular NPM Package rand-user-agent
The NPM Package xrpl.js from Ripple Contains a Backdoor to Steal Private Keys, Triggering a Supply Chain Attack
Original Linkhttps://cybersecuritynews.com/exploit-eval-or-exec-python-calls/
This article is compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate “Reprinted from Qi Anxin Code Guardian https://codesafe.qianxin.com” when reprinting.


Qi Anxin Code Guardian (codesafe)
The first product line in China focused on software development security.