PkgRadar

PyPI · pypi.org

reflex-vla

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 0.11.2

SeveritySignalEvidence
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · reflex_vla-0.11.2/scripts/modal_zmq_vs_http_ab.py
mediumPy Import Time Ctypes Loadctypes.CDLL/cdll.LoadLibrary — loads native code into the process. · reflex_vla-0.11.2/src/reflex/__init__.py
mediumRemote Payloadmatched "curl " · reflex_vla-0.11.2/infra/contribution-worker/deploy.sh
mediumRemote Payloadmatched "curl " · reflex_vla-0.11.2/infra/license-worker/deploy.sh

Scanned versions

VersionVerdictScoreScanned (UTC)
0.11.2High risk782026-05-30
0.11.1High risk782026-05-30

Block this in CI

PkgRadar gates reflex-vla (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi reflex-vla==0.11.2
Start free — 25 scans / moView full evidence