Before Your Code Runs

In the summer of ‘24, me and Tushar deep in nerd chat about Python’s infamous PTH files. (Nope, not PyTorch stuff, we mean those sneaky .pth files that let you run code on startup, zero imports needed.) We got properly spooked by how you can hijack Python and the system it was running on without even touching the main code, and I swore I’d write a post about all the hidden “gotchas” like this lurking in other languages. Fast-forward…2026, LiteLLM supply chain attack happened and I finally got the cosmic slap I needed: “It’s now or never, get this blog out!” So here we are, and wow do I wish I’d written it sooner.

This series is a deep dive into implicit attack surfaces in programming languages and the tooling around them. Instead of walking a lifecycle (“install → build → run”), we’ll catalogue concrete execution primitives: files on disk, environment variables, CLI flags, and module hooks, each with where it lives, what runs, when it runs, whether execution is implicit, and what an attacker typically needs (write access, supply chain, env control, and so on).

Each post focuses on a single language or runtime.

Forgive me if I missed yours, but definitely let me know about it. Would love to chat and add it to the list.

Before Your Code Runs: Python

This post is part of the Before Your Code Runs series, cataloguing the hidden, implicit code execution surfaces in programming language runtimes and toolchains. Python is probably the most beloved language in the world right now. It’s everywhere: data science, web backends, DevOps glue, AI/ML pipelines, you name it. And because it’s everywhere, attackers love it too. The thing is, most Python developers think execution starts when you type python app....