crazehub @3.6.0

Summary

crazehub/__init__.py performs multiple user-hostile actions at import time. Lines 2-3 unconditionally run os.system("pip install phonenumbers") and os.system("clear"), silently mutating the installer's Python environment and spawning shell commands without consent. Lines 18-26 fetch https://pastebin.com/raw/jkFG4kpy via urllib.request.urlopen to retrieve an author-mutable token list, then gate execution via an interactive input('>> ') prompt and sys.exit(0) on mismatch — breaking CI/automation and establishing a live, attacker-mutable remote-content channel that can be repurposed at any time. The package also captures hostname/IP and base64-encodes the IP (currently written only locally, but one paste-edit away from exfiltration). Metadata is placeholder (url='https://google.com', generic description). Any of import-time pip install, import-time shell exec, or mutable remote content driving control flow is independently sufficient to block; all three together make this a clear install/import-time RCE surface on the installer.

Source: amazon-inspector (53d37c0e75f63e9da7adcc1f71f8b67a665d080342df6857a15dadc297e4f075)