pip
Python package installer. Installing packages with malicious setup.py executes arbitrary code. Can also download and run Python scripts directly.
Binary Paths
/usr/bin/pip/usr/bin/pip3/usr/local/bin/pip/usr/local/bin/pip3
Glob Patterns
| Pattern | Notes |
|---|---|
pi?
|
Single wildcard replaces 'p' — matches pip and pip3 (with suffix) |
p?p
|
Wildcard replaces 'i' — note: also matches php; use full path or context to disambiguate |
pip[3]
|
Character class on version suffix — matches pip3 |
/usr/bin/pi?
|
Full path wildcard — resolves to /usr/bin/pip |
/???/bin/pip
|
Obfuscate /usr/ directory component |
$(ls /usr/bin/pi?)
|
ls resolves glob to /usr/bin/pip; command substitution executes it |
$'\x70\x69\x70'
|
ANSI-C hex escapes expand to 'pip' |
Pattern Tester
$
Try typing pip or a full path like /usr/bin/pip
YARA Rule
Auto-generated detection rule for pip
Platform Notes
pip install with a local package runs setup.py install, executing arbitrary Python code as the installing user. pip download retrieves packages to disk without installing. The binary may be pip3 on Python-3-only systems — use pip* or pi? globs to cover both.