PkgRadar

PyPI · pypi.org

nvflare

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 2.8.0

SeveritySignalEvidence
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · nvflare/app_opt/confidential_computing/snp_authorizer.py
highDNS / OAST exfiltrationmatched "dig and jq. Now checking if they are installed.\"\n\n check_binary aws \"Please see https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html on how to install it on your system.\"\n check_binary sshpass \"Please install it first.\"\n check_binary dig \"Please install it first.\"\n check_binary jq \"Please install it first.\"\n\n REGION=$(aws configure get region 2>/dev/null)\n : \"${REGION:=us-west-2}\"\n : \"${AWS_DEFAULT_REGION:=$REGION}\"\n : \"${AWS_REGION:=$AWS_DEFAULT_REGION}\"\n REGION=${AWS_REGION}\n\n echo \"Note: run this command first for a different AWS profile:\"\n echo \" export AWS_PROFILE=your-profile-name.\"\n\n echo -e \"\\nChecking AWS identity ... \\n\"\n aws_identity=$(" · nvflare/lighter/templates/aws_template.yml

Scanned versions

VersionVerdictScoreScanned (UTC)
2.8.0Review182026-06-04
2.8.0rc7Review182026-06-03
2.8.0rc6Review182026-06-02
2.8.0rc5Review182026-05-29
2.8.0rc4Review182026-05-29

Block this in CI

PkgRadar gates nvflare (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi nvflare==2.8.0
Start free — 25 scans / moView full evidence