Hackers Exploit Two Python Function Calls to Execute Malicious Code

Author: Florence Nightingale

Compiled by: Code Guardian

Hackers Exploit Two Python Function Calls to Execute Malicious CodeColumn: Supply Chain Security

In the digital age, software is ubiquitous. Software acts as a “virtual person” in society and has become one of the fundamental elements supporting the normal operation of society. The security of software is becoming a fundamental and foundational issue in today’s society.

With the rapid development of the software industry, the software supply chain has become increasingly complex and diverse. A complex software supply chain introduces a series of security issues, making the overall security protection of information systems increasingly difficult. In recent years, security attacks targeting the software supply chain have been on the rise, causing increasingly severe damage.

To address this, we have launched the “Supply Chain Security” column. This column gathers information on supply chain security, analyzes supply chain security risks, and provides mitigation suggestions to safeguard supply chain security.

Note: For previously published content related to supply chain security, please see the “Recommended Reading” section at the end.

Threat actors are exploiting a complex obfuscation technique to bypass detection systems and use Python’s eval() and exec() functions to execute malicious code.

In the past five years, there have been over 100 supply chain attack incidents targeting PyPI, posing serious risks to organizations relying on Python packages. The increasing number of threats has led to the development of advanced static analysis tools like Hexora, which detect obfuscated malicious code that traditional regex-based tools often fail to identify. Unlike simple pattern matching, these attacks leverage Python’s dynamic nature to execute arbitrary code while evading traditional security measures.

Advanced Obfuscation Techniques

Artem Golubin mentioned that basic malicious code injection utilizes complex evasion methods. The most rudimentary method involves direct function calls:

Hackers Exploit Two Python Function Calls to Execute Malicious Code

However, experienced threat actors will use obfuscable homographs to bypass regex-based detection systems:

Hackers Exploit Two Python Function Calls to Execute Malicious Code

This technique uses Unicode characters that appear similar to standard ASCII characters, making it more challenging for security tools that rely on simple string matching. More advanced attackers utilize this built-in module to obfuscate malicious intent: Hackers Exploit Two Python Function Calls to Execute Malicious Code

The __import__ function provides another evasion vector, allowing attackers to bypass traditional import statements while maintaining functionality:

Hackers Exploit Two Python Function Calls to Execute Malicious Code

Threat actors often use string concatenation and reversal to obfuscate function names and module references. Optional module access methods include using sys.modules, globals(), and locals(). The compile() function provides another attack vector, allowing code execution without direct eval() or exec() calls: Hackers Exploit Two Python Function Calls to Execute Malicious Code

Payloads delivered through these methods typically utilize multiple layers of encoding, including base64, hexadecimal, rot13, marshal, and zlib compression to further obfuscate malicious intent. This multi-layered approach makes static analysis extremely challenging and often requires dynamic analysis or sandboxing techniques. Security professionals recommend implementing a comprehensive detection strategy that combines static analysis, dynamic analysis, machine learning patterns, and human oversight to identify such complex attacks before they can compromise production environments.

Hackers Exploit Two Python Function Calls to Execute Malicious CodeOpen SourceGuardian trial address:https://sast.qianxin.com/#/loginCode Guardian trial address:https://codesafe.qianxin.comRecommended Reading

PyPI Intercepts 1800 Expired Domain Emails, Defending Against Supply Chain Attacks

Malicious Packages on PyPI Exploit Dependencies to Launch Software Supply Chain Attacks

Hackers Use Fake PyPI Sites for Phishing Attacks on Python Developers

Over 700 Malicious Misplaced Domain Libraries Target RubyGems Repository

NPM “Accidentally” Deletes Legitimate Stylus Package, Disrupting Global Pipelines and Builds

Firmware Development and Update Flaws Lead to Vulnerabilities That Are Hard to Fix for Years, Deeply Affecting Supply Chain Security

NPM Repository Infected with 67 Malicious Packages Spreading Malware

Online Reading Version: Full Text of “2025 China Software Supply Chain Security Analysis Report”

NPM Software Supply Chain Attacks Spread Malware

Covert NPM Supply Chain Attacks: Misplaced Domains Lead to RCE and Data Destruction

NPM Malicious Packages Use Unicode Steganography to Evade Detection

Aikido Discovers Malicious Code in Popular NPM Package rand-user-agent

The NPM Package xrpl.js from Ripple Contains a Backdoor to Steal Private Keys, Triggering a Supply Chain Attack

Original Linkhttps://cybersecuritynews.com/exploit-eval-or-exec-python-calls/

This article is compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate “Reprinted from Qi Anxin Code Guardian https://codesafe.qianxin.com” when reprinting.

Hackers Exploit Two Python Function Calls to Execute Malicious CodeHackers Exploit Two Python Function Calls to Execute Malicious Code

Qi Anxin Code Guardian (codesafe)

The first product line in China focused on software development security.

Leave a Comment