PkgRadar

Composer · packagist.org

xiaosongshu/flv2mp4

Php Base64 Eval Chain: base64/gz/hex decode combined with eval/exec/backticks — classic PHP obfuscated payload.

Why PkgRadar flagged v1.2.1

SeveritySignalEvidence
highPhp Base64 Eval Chainbase64/gz/hex decode combined with eval/exec/backticks — classic PHP obfuscated payload. · 2723659854-flv2mp4-2801bad/src/SabreAMF/SabreAMF_CallbackServer.php
highPhp Shell With Decodeexec / system / shell_exec combined with base64/hex decode. · 2723659854-flv2mp4-2801bad/src/SabreAMF/SabreAMF_CallbackServer.php

Scanned versions

VersionVerdictScoreScanned (UTC)
v1.2.1High risk752026-06-20
v1.2.0Low risk02026-06-15
v1.1.9Low risk02026-06-14
v1.1.8Low risk02026-06-14
v1.1.7Low risk02026-06-14
v1.1.6Low risk02026-06-12
v1.1.5Low risk02026-06-12
v1.1.4Low risk02026-06-12
v1.1.1Low risk02026-06-06
v1.0.8Low risk02026-06-03
v1.0.6Low risk02026-06-02
v1.0.4Low risk02026-05-31
v1.0.3Low risk02026-05-30

Block this in CI

PkgRadar gates xiaosongshu/flv2mp4 (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem composer xiaosongshu/[email protected]
Start free — 25 scans / moView full evidence