Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
pipenv is a Python development workflow tool. Starting with and, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index …