PyPI · pypi.org

gradio

Js Hidden Powershell: Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm | iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers.

Why PkgRadar flagged 6.18.0

Severity	Signal	Evidence
high	Js Hidden Powershell	Hidden / non-interactive PowerShell invocation in package code — `-WindowStyle Hidden`, `irm \| iex`, `windowsHide: true`, or equivalent — used to download-and-run payloads on Windows installers. · gradio-6.18.0/gradio/templates/frontend/assets/ApiDocs-2l_GcwlZ.js
high	Credential File Packaged	gradio-6.18.0/js/.npmrc · gradio-6.18.0/js/.npmrc
high	Credential File Packaged	gradio-6.18.0/js/_spaces-test/.npmrc · gradio-6.18.0/js/_spaces-test/.npmrc
high	Credential File Packaged	gradio-6.18.0/js/_website/.npmrc · gradio-6.18.0/js/_website/.npmrc
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · gradio-6.18.0/gradio/processing_utils.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`6.18.0`	Review	54	2026-06-11
`6.17.3`	Review	54	2026-06-07
`6.16.0`	Review	54	2026-06-03
`6.15.2`	Review	67	2026-05-28
`6.15.1`	Review	88	2026-05-27
`6.15.0`	Review	88	2026-05-26

Block this in CI

PkgRadar gates gradio (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi gradio==6.18.0

Start free — 25 scans / mo View full evidence