PyPI Install-Time Execution Audit

• .pth files: any file ending in .pth shipped inside the package body. Python evaluates these on every interpreter startup — not on import — making them the highest-blast-radius vector. This was the LiteLLM mechanism.
• setup.py exec: arbitrary Python evaluated at install time. Skipped when only a wheel is published, but still attacker-reachable on sdist installs.
• Post-install / cmdclass overrides: subclassing install, develop, or build_py to inject post-install logic.
• Console script entry points: not malicious by themselves, but they install commands into the user's $PATH and run on first invocation, often by tab-completion or shell hooks.
• Top-level __init__.py side effects: imports, network calls, or filesystem writes that run on the first import package.
• Namespace package collision: implicit namespace packages can be hijacked if an attacker registers a sibling distribution with the same top-level name.
• Wheel-only publishing sidesteps setup.py execution at install but does not protect against .pth, post-install entry points, or __init__ side effects.

For PyPI lookups it hits pypi.org/pypi/<name>/json for metadata and the wheel/sdist file listings — no package contents are downloaded into the browser. The remediation diff is generated by Claude Haiku from the structured findings.