Execution Before Import
Python's .pth file mechanism was designed for path configuration — add a line to a .pth file in site-packages, and Python adds that path to sys.path on startup. But .pth files can also contain executable code prefixed with 'import'. This code runs every time Python starts, before any application code, before any import statement, before any security check.
CVE-2026-42208 exploits this mechanism through the AI routing library semantic-router. A compromised wheel in its transitive dependency chain installed a .pth file that executed on every Python interpreter startup. The payload harvested AWS credentials, GCP service account keys, Azure tokens, SSH private keys, Kubernetes configs, and database connection strings — then exfiltrated them to an external endpoint.
The Transitive Dependency Blindspot
semantic-router is an AI routing library — it routes queries to the appropriate AI model based on semantic similarity. Developers install it to build multi-model AI applications. They audit semantic-router's code. They do not audit the wheels that semantic-router's dependencies pull in transitively.
This is the supply chain reality: pip install semantic-router doesn't install one package. It installs a dependency tree. One node in that tree shipped a compromised wheel containing a .pth file. The .pth file doesn't need to be imported. It doesn't need to be referenced. It executes because Python's startup mechanism executes it.
AI Is the Risk Multiplier
AI libraries have unusually deep dependency trees. A typical AI routing or orchestration library pulls in tokenizers, embedding models, HTTP clients, cloud SDKs, and model provider libraries — each with their own transitive dependencies. The attack surface isn't the library you chose. It's the 47 packages that come with it.
This attack would work against any Python library with a compromised transitive dependency. But AI libraries are disproportionately targeted because they run in environments rich with credentials — cloud API keys, model provider tokens, infrastructure secrets. The AI dependency graph is a credential harvesting vector.
Detection and Remediation
Audit .pth files in your Python site-packages directories immediately. Any .pth file containing 'import' statements beyond simple path additions is suspect. Use pip-audit or safety to scan for known compromised packages. Pin transitive dependencies with hash verification. And consider whether your AI development environments should have access to production credentials at all — the answer, after CVE-2026-42208, is clearly no.
