PkgRadar

PyPI · pypi.org

bingo-ai

DNS / OAST exfiltration: matched "dig @attacker.com $("

Why PkgRadar flagged 1.0.9

SeveritySignalEvidence
highDNS / OAST exfiltrationmatched "dig @attacker.com $(" · bingo_ai-1.0.9/bingo/skills/skills_data.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · bingo_ai-1.0.9/vendor/sqlmap/thirdparty/bottle/bottle.py
mediumPy Import Time Eval ExecPython eval()/exec() called on a string. · bingo_ai-1.0.9/vendor/sqlmap/thirdparty/six/__init__.py

Scanned versions

VersionVerdictScoreScanned (UTC)
1.0.9High risk892026-06-11
1.0.5High risk892026-06-11
1.0.4High risk892026-06-11
1.0.3High risk892026-06-11
1.0.2High risk892026-06-11
1.0.0High risk352026-06-11

Block this in CI

PkgRadar gates bingo-ai (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi bingo-ai==1.0.9
Start free — 25 scans / moView full evidence