PkgRadar

PyPI · pypi.org

prefect-client

Py Import Time Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 3.7.5.dev5

SeveritySignalEvidence
highPy Import Time Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · prefect_client-3.7.5.dev5/src/prefect/bundles/__init__.py
mediumPy Import Time Subprocesssubprocess call — process spawning. · prefect_client-3.7.5.dev5/src/prefect/bundles/__init__.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · prefect_client-3.7.5.dev5/src/prefect/server/api/server.py
mediumPy Import Time Eval ExecPython eval()/exec() called on a string. · prefect_client-3.7.5.dev5/src/prefect/utilities/callables/__init__.py

Scanned versions

VersionVerdictScoreScanned (UTC)
3.7.5.dev5High risk712026-06-17
3.7.5.dev4High risk712026-06-16
3.7.5.dev3High risk712026-06-13
3.7.5.dev2High risk712026-06-09
3.7.5.dev1High risk712026-06-06
3.7.4High risk712026-06-05
3.7.4.dev4High risk712026-06-05
3.7.4.dev3High risk712026-06-04
3.7.4.dev2High risk712026-06-03
3.7.4.dev1High risk712026-06-02
3.7.3High risk712026-06-01
3.7.3.dev7High risk712026-06-01
3.7.3.dev6High risk712026-05-30
3.7.3.dev4High risk712026-05-30

Block this in CI

PkgRadar gates prefect-client (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi prefect-client==3.7.5.dev5
Start free — 25 scans / moView full evidence