Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages

Researchers in cybersecurity have found vulnerable code in several legacy Python packages, which could potentially facilitate a supply chain compromise on PyPI using a domain takeover attack.

The software supply chain security company ReversingLabs said it found the "vulnerability" in the bootstrap files provided by the build and deployment automation tool "zc.buildout."

"The scripts automate the downloading, building, and installation of these libraries and tools," said security researcher Vladimir Pezo. "More specifically, upon execution of the bootstrap script, it downloads and executes an installation script of the package Distribute from python-distribute[.]org-a domain that is currently for sale at a premium price while being managed to drive ad revenue."

The PyPI packages that include a bootstrap script which accesses the domain in question include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures.

The essence of the problem is an old bootstrap script ("bootstrap.py") that was used along with the zc.buildout tool for initializing the Buildout environment. The script also supported installing, into the local environment, a utility called "Distribute"-a short-lived fork of the Setuptools project.

For this, it downloads the Distribute installation script ("distribute_setup.py") from the domain python-distribute[.]org, which has been for sale since 2014. When adding the option, the idea was to tell the bootstrap script to download and install the Distribute package instead of the older Setuptools package for managing eggs and dependencies for the buildout.

Notably, the reason for the creation of the Distribute fork was a consequence of the fact that Setuptools, the major package management tool used at that time, wasn't actively being developed.

However, in 2013, the features from Distribute were back-merged into Setuptools and Distribute itself was declared obsolete.

The finding by ReversingLabs pertains to how a significant number of packages have continued shipping the bootstrap script, which either tries to install Distribute by default or when the command-line option ("-d" or "--distribute") is specified. This, coupled with the fact that the domain in question is up for grabs, puts users at latent risk since an attacker could weaponize this setup to serve malicious code when the bootstrap script is inadvertently run and steal sensitive data.

Although some of the affected packages have already taken steps to remove the bootstrap script, slapos.core still continues to ship the vulnerable code. It is also included within the development and maintenance version of Tornado.

Another important aspect here is that the bootstrap script is not executed automatically during package installation and is written in Python 2; this means it cannot be executed with Python 3 without modifications. But the mere presence of the file leaves an "unnecessary attack surface" that attackers can exploit if the developers are tricked into running code that triggers the execution of the bootstrap script.

The threat of a domain takeover is not theoretical. In 2023 it was discovered that the npm package fsevents had been compromised by a bad actor who hijacked an unclaimed cloud resource hosted at fsevents-binaries.s3-us-west-2.amazonaws[.]com to push malicious executables to users installing certain versions of the package (CVE-2023-45311, CVSS score: 9.8).

"The issue resides in the programming pattern that involves fetching and executing a payload from a hardcoded domain, a pattern widely seen across different variants of malware that exhibit downloader behavior," Pezo said. "The fact that the Distribute module was not formally decommissioned allowed vulnerable bootstrap scripts to linger and left unknown numbers of projects exposed to a potential attack."

The disclosure comes amid the discovery by HelixGuard of a malicious PyPI package named "spellcheckers", which claims to check spelling mistakes through OpenAI Vision but contains malicious code that connects to an external server in order to download a next-stage payload for the execution of a remote access trojan.

The package, which was first uploaded to PyPI on November 15, 2025 by a user named leo636722, has been downloaded 955 times. It is no longer available for download.

"This RAT is capable of receiving remote commands and executing attacker-controlled Python code through exec(), thus providing full remote control over the victim's host," HelixGuard said. "When the user installs and runs the malicious package, a backdoor becomes active that permits the attacker to take remote control over the user's computer."