bin-collect is vulnerable to arbitrary code execution. The vulnerability exists due to incomplete deletion of some packages getting installed from pypi.doubanio.com
creating a malicious back door which allows an attacker to inject and execute arbitrary codes.