Package evidence
kcli==99.0.202606042001
Py Import Time Os System: Direct shell invocation via os.system / os.popen / os.exec*.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 5,642Mature · −50% score
- First published
- Dec 2019
- Publisher
- Karim Boumedhel
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["kcli==99.0.202606042001"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["kcli==99.0.202606042001"],"fail_on":"review"}'Why flagged
What the scanner saw
Py Import Time Os System: Direct shell invocation via os.system / os.popen / os.exec*.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 116 · status changed
Evidence
Static findings
93 static · 0 from release diff · showing high-signal first.
Showing 30 of 78 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/hypershift/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/kubeadm/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/kubernetes/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/microshift/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/openshift/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/rke2/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/common/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/container/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/kubecommon/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/miniconsole/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/aws/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/fake/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/gcp/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/hcloud/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/ibm/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/kubevirt/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/kvm/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/openstack/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/ovirt/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/utm/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/vsphere/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/web/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Base64 Decode | kcli-99.0.202606042001/kvirt/providers/hcloud/__init__.py | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. | 48 |
| high | Py Import Time Base64 Decode | kcli-99.0.202606042001/kvirt/providers/utm/__init__.py | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. | 48 |
| medium | Py Import Time Subprocess | kcli-99.0.202606042001/kvirt/providers/utm/__init__.py | subprocess call — process spawning. | 32 |
| high | Py Runtime Base64 Decode | kcli-99.0.202606042001/kvirt/bottle.py | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. | 30 |
| high | Py Import Time Network Call | kcli-99.0.202606042001/kvirt/providers/vsphere/__init__.py | Network call (urllib/requests/httpx/http.client) at install or import time. | 16 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/k3s/bootstrap.sh | matched "curl\n" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/k3s/ctlplanes.sh | matched "curl\n" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/k3s/join.sh | matched "curl " | 12 |
Show all 93 findings (low-signal and informational)
Showing 60 of 93 findings.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/hypershift/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/kubeadm/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/kubernetes/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/microshift/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/openshift/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/cluster/rke2/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/common/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/container/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/kubecommon/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/miniconsole/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/aws/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/fake/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/gcp/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/hcloud/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/ibm/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/kubevirt/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/kvm/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/openstack/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/ovirt/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/utm/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/providers/vsphere/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Os System | kcli-99.0.202606042001/kvirt/web/__init__.py | Direct shell invocation via os.system / os.popen / os.exec*. | 56 |
| high | Py Import Time Base64 Decode | kcli-99.0.202606042001/kvirt/providers/hcloud/__init__.py | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. | 48 |
| high | Py Import Time Base64 Decode | kcli-99.0.202606042001/kvirt/providers/utm/__init__.py | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. | 48 |
| medium | Py Import Time Subprocess | kcli-99.0.202606042001/kvirt/providers/utm/__init__.py | subprocess call — process spawning. | 32 |
| high | Py Runtime Base64 Decode | kcli-99.0.202606042001/kvirt/bottle.py | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. | 30 |
| high | Py Import Time Network Call | kcli-99.0.202606042001/kvirt/providers/vsphere/__init__.py | Network call (urllib/requests/httpx/http.client) at install or import time. | 16 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/k3s/bootstrap.sh | matched "curl\n" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/k3s/ctlplanes.sh | matched "curl\n" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/k3s/join.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/k3s/workers.sh | matched "curl\n" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/argocd/install.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/argocd/uninstall.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/autolabeller/install.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/autolabeller/uninstall.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/certmanager/install.sh | matched "github.com/jetstack/cert-manager/releases/download" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/dashboard/install.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/ingress/install.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/ingress/uninstall.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/istio/install.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/katacontainer/install.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/katacontainer/uninstall.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/knative/install.sh | matched "github.com/knative/operator/releases/download" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/kubevirt/install.sh | matched "github.com/kubevirt/kubevirt/releases/download" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/metallb/install.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/metallb/uninstall.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/olm/install.sh | matched "github.com/operator-framework/operator-lifecycle-manager/releases/download" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/olm/uninstall.sh | matched "github.com/operator-framework/operator-lifecycle-manager/releases/download" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/policy_as_code/install.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/policy_as_code/uninstall.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/rook/install.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/apps/submariner/install.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/bootstrap.sh | matched "raw.githubusercontent.com" | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/containerd.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/crio-d.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/pre_el.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/pre_ubuntu.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/kubeadm/sdn.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/openshift/apps/advanced-cluster-management/assisted-service.sh | matched "curl " | 12 |
| medium | Remote Payload | kcli-99.0.202606042001/kvirt/cluster/openshift/apps/istio/install.sh | matched "curl " | 12 |