PkgRadar

PyPI · pypi.org

vllm-ascend

Py Install Time Subprocess: subprocess call with shell=True — passes argv to /bin/sh.

Why PkgRadar flagged 0.20.2rc1

SeveritySignalEvidence
mediumPy Install Time Subprocesssubprocess call with shell=True — passes argv to /bin/sh. · vllm_ascend-0.20.2rc1/setup.py
mediumPy Install Time Subprocesssubprocess call — process spawning. · vllm_ascend-0.20.2rc1/setup.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · vllm_ascend-0.20.2rc1/.github/workflows/scripts/ci_log_summary.py
mediumRemote Payloadmatched "wget " · vllm_ascend-0.20.2rc1/tools/mooncake_installer.sh
mediumRemote Payloadmatched "wget " · vllm_ascend-0.20.2rc1/tools/shellcheck.sh

Scanned versions

VersionVerdictScoreScanned (UTC)
0.20.2rc1High risk772026-06-03

Block this in CI

PkgRadar gates vllm-ascend (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi vllm-ascend==0.20.2rc1
Start free — 25 scans / moView full evidence
vllm-ascend — PyPI security scan | PkgRadar