Summary "EntryPoint::FromStr" in "rattler_conda_types" performs only ".trim()" on the "command" field before the linker joins it onto the install prefix and writes an executable Python script. A malicious "noarch:python" package can ship an "info/link.json" with an entry-point name containing "..", "/", "", or an absolute path; the resulting file is written outside the prefix (or clobbers an existing in-prefix entry-point such as "bin/pip") with mode "0o775" on Unix and a copied launcher ".exe" on Windows. This affects the default install path of "pixi install", "rattler-build", some methods in "py-rattler", and any other consumer of the "rattler" install crate; no flag or post-link-script opt-in is involved. Resolved in https://github.com/conda/rattler/pull/2445, released in rattler 0.43.2. Affected - Repository: https://github.com/conda/rattler - Commit: "a0e61a33da8b9d6de712fab2a879fa9da977e6e3" (HEAD at audit time, 2026-05-13 release) - Downstream consumers reached through the same code path: "prefix-dev/pixi" @ "e640477" - pixi 0.69.0 and rattler-build 0.65.0 fix this issue Researcher Berkant Koc "me@berkoc.com" (mailto:me@berkoc.com) PGP: 0C588DFD76204987284213EA0AC529C41F8AA5D6