PkgRadar

Go modules · proxy.golang.org

github.com/francescostabile/numasec

DNS / OAST exfiltration: matched "dig $("

Why PkgRadar flagged v1.1.4

SeveritySignalEvidence
highDNS / OAST exfiltrationmatched "dig $(" · github.com/francescostabile/[email protected]/agent/packages/numasec/src/security/kb/templates/exploitation/exploit-injection-methodology.yaml
highDNS / OAST exfiltrationmatched "burpcollaborator.net" · github.com/francescostabile/[email protected]/agent/packages/numasec/src/security/kb/templates/exploitation/exploit-serverside-methodology.yaml
highDNS / OAST exfiltrationmatched "burpcollaborator.net" · github.com/francescostabile/[email protected]/agent/packages/numasec/src/security/kb/templates/payloads/ssrf-lfi-payloads.yaml

Scanned versions

VersionVerdictScoreScanned (UTC)
v1.1.7Low risk02026-06-08
v1.1.18Low risk02026-06-08
v1.1.13Low risk02026-06-08
v1.1.14Low risk02026-06-08
v1.1.8Low risk02026-06-08
v1.1.9Low risk02026-06-08
v1.1.17Low risk02026-06-08
v1.1.4High risk952026-06-08
v1.1.5Low risk02026-06-08
v1.1.6Low risk02026-06-08

Block this in CI

PkgRadar gates github.com/francescostabile/numasec (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem go github.com/francescostabile/[email protected]
Start free — 25 scans / moView full evidence