PkgRadar

PyPI · pypi.org

attocode

Webhook Exfil Endpoint: matched "hooks.slack.com/services/"

Why PkgRadar flagged 0.2.25

SeveritySignalEvidence
highWebhook Exfil Endpointmatched "hooks.slack.com/services/" · attocode-0.2.25/eval/rule_accuracy/corpus/python/CWE-798/tp_hardcoded_secrets.py
highPy Runtime Dynamic Dangerous ImportDynamic __import__('subprocess') — reflection bypass for static checks. · attocode-0.2.25/src/attocode/code_intel/cli.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · attocode-0.2.25/src/attocode/code_intel/api/routes/notify.py
mediumCredential file accessmatched "AWS_ACCESS_KEY" · attocode-0.2.25/eval/rule_accuracy/corpus/python/CWE-798/tn_safe_config.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.2.25High risk1482026-05-31
0.2.24High risk1482026-05-30

Block this in CI

PkgRadar gates attocode (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi attocode==0.2.25
Start free — 25 scans / moView full evidence