Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially lead to supply chain compromise via a domain takeover attack.
Software supply chain security company ReversingLabs said it found a “vulnerability” in Bootstrap files provided by a build and deployment automation tool called “zc.buildout.”
“The script automates the process of downloading, building, and installing required libraries and tools,” said security researcher Vladimir Pezo. “Specifically, when the bootstrap script executes, it fetches and executes an installation script for the package. Distribute from python-distribute[.]org – a legacy domain that is now available for sale in a premium price range while being managed to increase advertising revenue.”
The PyPI package includes a bootstrap script that accesses the domains in question, including Tornado, Pypiserver, slapos.core, roman, xutils, and testfixtures.
The root of the problem is related to an old bootstrap script (“bootstrap.py”) that was used with the zc.buildout tool to initialize the buildout environment. The Python script also supported the ability to install a packaging utility called “distribute”, a short-lived fork of the SetupTools project, in the local environment.
To achieve this, the distribute installation script (“distribute_setup.py”) is obtained from python-distribute[.]org, a domain that has been for sale since 2014. In adding the option, the idea was to instruct the Bootstrap script to download and install the distribute package instead of the old setuptools package to manage the eggs and dependencies for the build.
It is important to note that the distributed fork came into existence due to the lack of active development of setuptools, the main package management tool used at that time. However, the features of the distribute were integrated back into Setuptools in 2013, making the distribute obsolete.
The issue identified by ReversingLabs is related to the fact that many packages continue to ship a bootstrap script that attempts to install distribute either by default or when a command-line option (“-d” or “–distribute”) is specified. This, along with the fact that the domain in question is up for grabs, puts users at latent risk because when the bootstrap script is inadvertently run an attacker can weaponize this setup to serve malicious code and potentially steal sensitive data.
Although some affected packages have taken steps to remove the Bootstrap script, the Slapos.core package still continues to ship vulnerable code. It is also included in the development and maintenance version of Tornado.
Another important aspect to consider here is that the bootstrap script is not automatically executed during package installation and is written in Python 2. This means that the script cannot be executed with Python 3 without modifications. But the mere presence of the file leaves an “unnecessary attack surface” that attackers can take advantage of if developers are tricked into running code that triggers execution of the bootstrap script.
The threat of domain takeover is not theoretical. In 2023, it was discovered that the npm package fsevents was compromised by a bad actor who seized control of an unclaimed cloud resource hosted at fsevents-binaries.s3-us-west-2.amazonaws.[.]com to push malicious executables to users who installed certain versions of the package (CVE-2023-45311, CVSS score: 9.8).
“The problem lies in the programming pattern that involves fetching and executing payloads from a hard-coded domain, which is a pattern commonly seen in malware that exhibits downloader behavior,” Pezzo said. “The failure to formally decommission the distribute module allowed the vulnerable Bootstrap script to run for a long time and left an unknown number of projects exposed to potential attack.”
The revelation came when HelixGuard discovered a malicious package called “spellcheckers” in PyPI, which claims to be a tool to check spelling errors using OpenAI vision, but contains malicious code designed to connect to an external server and download the next stage payload, which then executes a remote access trojan (RAT).
The package, which was first uploaded to PyPI on November 15, 2025 by a user named Leo636722, has been downloaded 955 times. It is no longer available for download.
“This RAT can receive remote commands and execute attacker-controlled Python code via exec(), enabling full remote control over the victim’s host,” HelixGuard said. “When the user installs and runs the malicious package, the backdoor is activated, allowing the attacker to remotely control the user’s computer.”
