PyPI · pypi.org

cobra4

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 0.6.1

Severity	Signal	Evidence
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · cobra4-0.6.1/cobra4/idle.py
medium	Py Import Time Pickle Loads	pickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled. · cobra4-0.6.1/cobra4/stdlib/__init__.py
medium	Py Import Time Eval Exec	Python eval()/exec() called on a string. · cobra4-0.6.1/cobra4/stdlib/__init__.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.6.1`	High risk	78	2026-06-05

Block this in CI

PkgRadar gates cobra4 (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi cobra4==0.6.1