PyPI · pypi.org
pillow
Py Install Time Subprocess: subprocess call — process spawning.
Why PkgRadar flagged 12.2.0
| Severity | Signal | Evidence |
|---|---|---|
| medium | Py Install Time Subprocess | subprocess call — process spawning. · pillow-12.2.0/setup.py |
| high | Py Runtime Base64 Decode | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · pillow-12.2.0/src/PIL/ImageGrab.py |
| medium | Py Custom Build Backend | Non-standard PEP 517 build-backend `backend` — runs custom code at install time. · pyproject.toml |
| medium | Remote Payload | matched "wget " · pillow-12.2.0/depends/download-and-extract.sh |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pillow-12.2.0/depends/install_imagequant.sh |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pillow-12.2.0/depends/install_openjpeg.sh |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pillow-12.2.0/depends/install_raqm.sh |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pillow-12.2.0/depends/install_raqm_cmake.sh |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
12.2.0 | Review | 46 | 2026-06-01 |
Block this in CI
pkgradar gate --ecosystem pypi pillow==12.2.0