pirxcypackage @8.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-3695
Ecosystem
pypi
Summary
PirxcyPackage/__init__.py fetches https://pastebin.com/raw/91tFF63S and passes the response body to exec() on every import. This is a textbook remote-code-execution supply-chain pattern: the payload is mutable, unauthenticated, unsigned, and controlled by a third-party paste owner, so any installer importing this package runs arbitrary attacker-chosen Python. The staging via Pastebin also ensures static review of the wheel cannot observe actual behavior. Installer harm is direct and unambiguous.
Source: amazon-inspector (5de481a31a831804a096bf6cf87157c0b0ee158aa7306c95080447764f9f7540)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.