Composer · packagist.org

automattic/jetpack

Php Base64 Eval Chain: base64/gz/hex decode combined with eval/exec/backticks — classic PHP obfuscated payload.

Why PkgRadar flagged 15.9

Severity	Signal	Evidence
high	Php Base64 Eval Chain	base64/gz/hex decode combined with eval/exec/backticks — classic PHP obfuscated payload. · Automattic-jetpack-production-ec68686/jetpack_vendor/automattic/jetpack-backup/src/class-rest-controller.php
high	Php Backtick With Decode	Backtick shell-out combined with base64/hex decode. · Automattic-jetpack-production-ec68686/jetpack_vendor/automattic/jetpack-backup/src/class-rest-controller.php
medium	Remote Payload	matched "cURL " · Automattic-jetpack-production-ec68686/jetpack_vendor/automattic/jetpack-connection/src/health/class-connection-health-tests.php
medium	Remote Payload	matched "curl " · Automattic-jetpack-production-ec68686/json-endpoints/class.wpcom-json-api-edit-media-v1-2-endpoint.php
medium	Remote Payload	matched "curl " · Automattic-jetpack-production-ec68686/json-endpoints/class.wpcom-json-api-update-post-endpoint.php
medium	Remote Payload	matched "curl " · Automattic-jetpack-production-ec68686/json-endpoints/class.wpcom-json-api-update-post-v1-1-endpoint.php
medium	Remote Payload	matched "curl " · Automattic-jetpack-production-ec68686/json-endpoints/class.wpcom-json-api-update-post-v1-2-endpoint.php
medium	Remote Payload	matched "curl " · Automattic-jetpack-production-ec68686/json-endpoints/class.wpcom-json-api-upload-media-endpoint.php
medium	Remote Payload	matched "curl " · Automattic-jetpack-production-ec68686/json-endpoints/class.wpcom-json-api-upload-media-v1-1-endpoint.php

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`15.9`	Review	41	2026-06-09

Block this in CI

PkgRadar gates automattic/jetpack (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem composer automattic/[email protected]