Go modules · proxy.golang.org

github.com/FrancescoStabile/numasec

DNS / OAST exfiltration: matched "dig $("

Why PkgRadar flagged v1.1.4

Severity	Signal	Evidence
high	DNS / OAST exfiltration	matched "dig $(" · github.com/francescostabile/[email protected]/agent/packages/numasec/src/security/kb/templates/exploitation/exploit-injection-methodology.yaml
high	DNS / OAST exfiltration	matched "burpcollaborator.net" · github.com/francescostabile/[email protected]/agent/packages/numasec/src/security/kb/templates/exploitation/exploit-serverside-methodology.yaml
high	DNS / OAST exfiltration	matched "burpcollaborator.net" · github.com/francescostabile/[email protected]/agent/packages/numasec/src/security/kb/templates/payloads/ssrf-lfi-payloads.yaml

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`v1.1.17`	Low risk	0	2026-06-08
`v1.2.0`	Low risk	0	2026-06-08
`v1.1.19`	Low risk	0	2026-06-08
`v1.1.16`	Low risk	0	2026-06-08
`v1.1.18`	Low risk	0	2026-06-08
`v1.1.9`	Low risk	0	2026-06-08
`v1.1.12`	Low risk	0	2026-06-08
`v1.1.11`	Low risk	0	2026-06-08
`v1.1.10`	Low risk	0	2026-06-08
`v1.1.4`	High risk	95	2026-06-08
`v1.1.5`	Low risk	0	2026-06-08
`v1.1.6`	Low risk	0	2026-06-08
`v1.1.7`	Low risk	0	2026-06-08
`v1.1.8`	Low risk	0	2026-06-08
`v1.1.13`	Low risk	0	2026-06-08
`v1.1.14`	Low risk	0	2026-06-08

Block this in CI

PkgRadar gates github.com/FrancescoStabile/numasec (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/FrancescoStabile/[email protected]