pipspeed @0.1.0
Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC
OSV ID
MAL-2026-10213
Ecosystem
pypi
Summary
The package's advertised public entry point pipspeed._optimize() GETs a JSON document from https://www.jsonkeeper.com/b/53XMN (an anonymous, mutable paste host) and reads package , function , and args fields from the response. It then runs pip install <package> via subprocess, importlib.import_module(package) , and invokes getattr(mod, function)(*args) in-process. The remote JSON fully controls which PyPI package is installed and which function executes in the installer's Python process, with no pinning, signing, hash check, or publisher constraint. Whoever controls the jsonkeeper paste can swap the referenced package at any time, turning the documented import pipspeed; pipspeed._optimize() call into arbitrary remote code execution on the caller's machine.
Source: amazon-inspector (b1037d713fe94f92e9f1302a1c8fdfcd03ee290e1f2076e7c01cbd1305499e91)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.