VDB
EN

MAL-2026-10213

Malicious code in pipspeed (PyPI)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b1037d713fe94f92e9f1302a1c8fdfcd03ee290e1f2076e7c01cbd1305499e91) The package's advertised public entry point pipspeed._optimize() GETs a JSON document from https://www.jsonkeeper.com/b/53XMN (an anonymous, mutable paste host) and reads `package`, `function`, and `args` fields from the response. It then runs `pip install <package>` via subprocess, `importlib.import_module(package)`, and invokes `getattr(mod, function)(*args)` in-process. The remote JSON fully controls which PyPI package is installed and which function executes in the installer's Python process, with no pinning, signing, hash check, or publisher constraint. Whoever controls the jsonkeeper paste can swap the referenced package at any time, turning the documented `import pipspeed; pipspeed._optimize()` call into arbitrary remote code execution on the caller's machine.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / pipspeed

No fixed version published yet for pipspeed (pip). Pin to a known-safe version or switch to an alternative.

참고