Cisco Talos maps the full taxonomy of Python-package build-time and import-time code execution ("The Serpent's Tongue")
Cisco Talos published a comprehensive technical survey of code-execution paths across the Python packaging lifecycle — repository hosting (PyPI, version-control, custom servers), source (sdist) and wheel distribution formats, and installation into virtual or system-wide environments — split into two classes and assessed for persistence (Cisco Talos, 2026-07-14). Build-hook abuses fire code during installation: setup.py executes automatically on install or download, so a malicious command class runs arbitrary code as a transient one-shot. The more consequential class is persistence: a .pth path-configuration file dropped into site-packages is executed on every subsequent Python invocation, and site-hook modules (sitecustomize.py/usercustomize.py) and PYTHONPATH hijacking behave the same way — the payload survives well beyond install time. Talos ties the .pth technique directly to TeamPCP's supply-chain compromise of the litellm package and the import-time __init__.py payload to its lightning compromise, part of a documented run of TeamPCP supply-chain waves. The piece closes on defensive measures — dependency auditing (pip-audit), hashed lock files, install-time controls and a dependency-cooldown window before adopting newly-published versions.
executes automatically during installation or download, allowing for the execution of arbitrary code.
they are executed with every invocation of Python, therefore exhibiting a persistent behavior on the victim endpoint.
ATT&CK mapping
3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ "typosquatting" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.
Execution TA0002
T1059.006Command and Scripting Interpreter: Python
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
T1574.007Hijack Execution Flow: Path Interception by PATH Environment Variable
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.
Stealth TA0005
T1574.007Hijack Execution Flow: Path Interception by PATH Environment Variable
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.