Malicious code in whatsfly-labfox (PyPI)

__

Source: amazon-inspector (c63e3f4776abe00db50f3d7e34bea3ed308a52b6e0c44872692b0dce50290d1f)

On import whatsfly, whatsfly/__init__.py invokes ensureUsableBinaries() from whatsfly/dependencies/builder.py, which downloads a native binary (.so/.dll/.dylib) from the GitHub Actions artifacts API for Labfox/whatsfly, unzips it under whatsfly/dependencies/whatsmeow/, and whatsmeow.py loads it directly via ctypes.CDLL(...). The download is authenticated with a fine-grained GitHub Personal Access Token (github_pat_11AZ7BYQI05SxpWYyU3Ctr_e2PlN...) reconstructed at runtime from a per-character list in whatsfly/dependencies/github_actions_download.py:7 — a deliberate obfuscation pattern used to evade GitHub's automated secret scanning. Two installer-impacting consequences follow: (1) every installer extracts the same live GitHub PAT and can use it against the author's GitHub account and the Labfox/whatsfly repository (credential redistribution to third parties); (2) the fetched artifact is a GitHub Actions artifact (mutable, 90-day TTL) pinned only by the loose string version="v20" with no hash or signature verification — anyone holding the PAT (including any installer of this package) can replace the artifact and achieve remote code execution on every subsequent importer via the ctypes load.