PyPI Released Advisory to Prevent ZIP Parser Confusion Attacks on Python Package Installers

Cyber Security News
3m read

In recent months, security researchers have uncovered a novel attack vector targeting Python package installers through ambiguities in the ZIP archive format.

By exploiting discrepancies between local file headers and the central directory, malicious actors can craft seemingly benign wheel distributions that, when unpacked by vulnerable installers, silently smuggle unauthorized files into the target environment.

This technique leverages legacy features of the ZIP standard—developed in 1989 to support incremental updates across multiple storage volumes—and abuses the lack of strict cross-validation in many popular Python installers.

Initial reports surfaced when maintainers of the uv installer noticed files appearing outside intended package directories upon extraction.

The Python Package Index Blog analysts identified that certain wheel files contained mismatched RECORD entries and central directory headers, leading unzip-style tools to include extraneous payloads during installation.

While PyPI has seen no confirmed incidents of real-world exploitation to date, the advisory underscores the potential for supply-chain compromise in one of the largest software repositories.

To address this emerging threat, PyPI is implementing a series of stringent validation checks on all uploaded ZIP and wheel archives.

Wheels with duplicate filenames between local file headers and the central directory will be rejected, as will archives with invalid framing or trailing data.

Starting February 1, 2026, any wheel whose contents do not precisely match the RECORD metadata file will be blocked at upload, following a six-month warning period.

These measures aim to force both packagers and installer projects to adopt robust parsing logic and enforce cross-checks against embedded checksums.

Infection Mechanism via RECORD Mismatch

The core of this attack lies in the installer’s failure to verify RECORD entries against actual ZIP contents before extraction.

A malicious wheel can list only benign files in RECORD—such as __init__.py and module.py—while embedding additional payloads under different local file header names.

When an installer reads the central directory first, it trusts the list of files to extract; however, unzip-equivalent implementations may process local file headers sequentially, inadvertently installing hidden backdoors.

A minimal exploit might include:-

# Example: Crafting a malicious RECORD metadata
with open('RECORD', 'w') as rec:
    rec.write('package/__init__.py,sha256=abcdef1234567890,\n')
    rec.write('package/module.py,sha256=123456abcdef7890,\n')
# Payload file omitted from RECORD

The RECORD Discrepancy Table illustrates a sample archive where the local file header package/installer_backdoor.py is absent from RECORD, yet present in the ZIP payload.

By rejecting such mismatches, PyPI ensures only fully validated wheels enter the ecosystem.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial

The post PyPI Released Advisory to Prevent ZIP Parser Confusion Attacks on Python Package Installers appeared first on Cyber Security News.

cybersecuritynews.com