PkgRadar

PyPI · pypi.org

create-leafmesh

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 2.3.2

SeveritySignalEvidence
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · create_leafmesh-2.3.2/create_leafmesh/deploy_providers/aws.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · create_leafmesh-2.3.2/create_leafmesh/deploy_providers/azure.py

Scanned versions

VersionVerdictScoreScanned (UTC)
2.3.2High risk502026-06-10
2.2.6Low risk02026-06-06
2.2.4Low risk02026-06-04
2.2.3Low risk02026-06-04

Block this in CI

PkgRadar gates create-leafmesh (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi create-leafmesh==2.3.2
Start free — 25 scans / moView full evidence