PyPI · pypi.org

aither-adk

Py Install Time Subprocess: subprocess call — process spawning.

Why PkgRadar flagged 2.8.1

Severity	Signal	Evidence
medium	Py Install Time Subprocess	subprocess call — process spawning. · aither_adk-2.8.1/adk/setup.py
medium	Py Install Time Subprocess	subprocess call — process spawning. · aither_adk-2.8.1/adk/shell/plugins/builtins/setup.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · aither_adk-2.8.1/adk/platform/ai/persona_image_system.py
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · aither_adk-2.8.1/adk/setup_cli.py
high	Py Runtime Dynamic Dangerous Import	Dynamic __import__('sys') — reflection bypass for static checks. · aither_adk-2.8.1/adk/shell/repl.py
medium	Remote Payload	matched "curl " · aither_adk-2.8.1/setup-vllm.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.8.1`	High risk	162	2026-06-13
`2.8.0`	High risk	162	2026-06-12
`2.7.0`	High risk	92	2026-06-06
`2.6.4`	High risk	92	2026-06-05
`2.6.3`	High risk	92	2026-06-05
`2.6.2`	High risk	92	2026-06-05
`2.6.1`	High risk	92	2026-06-05
`2.6.0`	High risk	92	2026-06-05
`2.5.0`	High risk	92	2026-06-04
`2.4.1`	High risk	92	2026-06-03
`2.4.0`	High risk	92	2026-06-03
`2.1.0`	High risk	92	2026-06-02
`2.0.0`	High risk	92	2026-06-02
`1.24.0`	High risk	92	2026-05-30
`1.23.0`	High risk	92	2026-05-30
`1.22.0`	High risk	92	2026-05-30
`1.21.0`	High risk	92	2026-05-30
`1.20.0`	High risk	92	2026-05-30
`1.19.0`	High risk	92	2026-05-30
`1.18.1`	High risk	92	2026-05-30
`1.18.0`	High risk	92	2026-05-30
`1.17.0`	High risk	92	2026-05-30
`1.16.0`	Review	62	2026-05-30
`1.15.0`	Review	62	2026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates aither-adk (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi aither-adk==2.8.1