PkgRadar

PyPI · pypi.org

telethon-pro-safe

Py Install Time Subprocess: subprocess call with shell=True — passes argv to /bin/sh.

Early detection

PkgRadar flagged this 1h before public disclosure

Detected 2026-05-28 · disclosed as MAL-2026-4859 on 2026-05-28

Why PkgRadar flagged 3.0.1

SeveritySignalEvidence
mediumPy Install Time Subprocesssubprocess call with shell=True — passes argv to /bin/sh. · telethon_pro_safe-3.0.1/setup.py
mediumPy Install Time Subprocesssubprocess call — process spawning. · telethon_pro_safe-3.0.1/setup.py

Scanned versions

VersionVerdictScoreScanned (UTC)
3.0.4Low risk02026-05-28
3.0.3Low risk02026-05-28
3.0.2Low risk02026-05-28
3.0.1High risk1002026-05-28
3.0.0High risk952026-05-28

Block this in CI

PkgRadar gates telethon-pro-safe (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi telethon-pro-safe==3.0.1
Start free — 25 scans / moView full evidence