PkgRadar

PyPI · pypi.org

rxiv-maker

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 1.20.4

SeveritySignalEvidence
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · rxiv_maker-1.20.4/src/rxiv_maker/engines/operations/generate_figures.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · rxiv_maker-1.20.4/src/rxiv_maker/exporters/docx_writer.py
mediumRemote Payloadmatched "curl " · rxiv_maker-1.20.4/src/rxiv_maker/install/platform_installers/macos.py

Scanned versions

VersionVerdictScoreScanned (UTC)
1.20.4High risk432026-06-12
1.20.3High risk432026-06-09
1.20.2High risk432026-06-02
1.20.1High risk432026-06-01
1.20.0High risk432026-06-01

Block this in CI

PkgRadar gates rxiv-maker (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi rxiv-maker==1.20.4
Start free — 25 scans / moView full evidence
rxiv-maker — PyPI security scan | PkgRadar