VDB
KO

MAL-2026-10213

Malicious code in pipspeed (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b1037d713fe94f92e9f1302a1c8fdfcd03ee290e1f2076e7c01cbd1305499e91) The package's advertised public entry point pipspeed._optimize() GETs a JSON document from https://www.jsonkeeper.com/b/53XMN (an anonymous, mutable paste host) and reads `package`, `function`, and `args` fields from the response. It then runs `pip install <package>` via subprocess, `importlib.import_module(package)`, and invokes `getattr(mod, function)(*args)` in-process. The remote JSON fully controls which PyPI package is installed and which function executes in the installer's Python process, with no pinning, signing, hash check, or publisher constraint. Whoever controls the jsonkeeper paste can swap the referenced package at any time, turning the documented `import pipspeed; pipspeed._optimize()` call into arbitrary remote code execution on the caller's machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pipspeed

No fixed version published yet for pipspeed (pip). Pin to a known-safe version or switch to an alternative.

References