---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bb61035c28fe642903fac1b2776b2593c1611831ce5553e63ef8b09a77e414c9)

The package installs a suspicious-demo.pth file into site-packages via setup.py's data_files=[("", ["suspicious-demo.pth"])]. Python auto-processes.pth files at every interpreter startup, and this one contains import spip_pth_demo_marker, whose module body is import os; os.system("calc.exe"). The result: every invocation of python on a host that has installed this package executes an OS command via the shell, with no user action required beyond installation. The README explicitly states the marker module 'only writes a benign marker line to stderr' and 'does not launch processes or run OS commands' — the shipped code directly contradicts this. While the specific argv (calc.exe) is innocuous on Windows and a no-op elsewhere, the mechanism is a fully functional persistent code-execution surface in the installer's Python environment; substituting any other command turns this into arbitrary RCE on every Python launch..pth-based execution is particularly dangerous because it bypasses install-phase analysis and fires on every subsequent interpreter start, including in unrelated projects sharing the same environment.