oracle · AmineRaouane · May 19, 2025 · May 26, 2025 · May 29, 2025 · Jun 3, 2025
@@ -311,3 +311,13 @@ rules:
     - pattern: os.writev(...)
     - pattern: os.pwrite(...)
     - pattern: os.pwritev(...)
+
+- id: obfuscation_excessive-spacing
+  metadata:
+    description: Detects the use of excessive spacing in code, which may indicate obfuscation or hidden code.
+  message: Hidden code after excessive spacing
+  languages:
+  - python
+  severity: WARNING
+  pattern-either:
+  - pattern-regex: '[ \t\n\r\f\v]{50,}[^ \t\n\r\f\v]+' # The 50 here is the threshold for excessive spacing , more than that is considered obfuscation
@@ -0,0 +1,25 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""
+Running this code will not produce any malicious behavior, but code isolation measures are
+in place for safety.
+"""
+
+import sys
+
+# ensure no symbols are exported so this code cannot accidentally be used
+__all__ = []
+sys.exit()
+
+def test_function():
+    """
+    All code to be tested will be defined inside this function, so it is all local to it. This is
+    to isolate the code to be tested, as it exists to replicate the patterns present in malware
+    samples.
+    """
+    sys.exit()
+
+    # excessive spacing obfuscation
+    def excessive_spacing_flow():
+                                                                                                                                                                                                                                                       print("Hello world!")
@@ -229,6 +229,21 @@
                     "end": 68
                 }
             ]
+        },
+        "src.macaron.resources.pypi_malware_rules.obfuscation_excessive-spacing": {
+            "message": "Hidden code after excessive spacing",
+            "detections": [
+                {
+                    "file": "obfuscation/excessive_spacing.py",
+                    "start": 24,
+                    "end": 25
+                },
+                {
+                   "file": "obfuscation/inline_imports.py",
+                    "start": 27,
+                    "end": 27
+                }
+            ]
         }
     },
     "disabled_sourcecode_rule_findings": {}

@@ -24,7 +24,7 @@ def test_function():
     __import__('builtins')
     __import__('subprocess')
     __import__('sys')
-    __import__('os')
+    print("Hello world!")                                                                                                                                                                                                                                                                ;__import__('os')
     __import__('zlib')
     __import__('marshal')
     # these both just import builtins