PkgRadar

PyPI · pypi.org

cognis-executor

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 0.9.0

SeveritySignalEvidence
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · cognis_executor-0.9.0/cognis/tools/executor/lsp/install.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · cognis_executor-0.9.0/cognis/tools/executor/document.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.9.0High risk802026-06-14
0.8.0High risk802026-06-10
0.7.0High risk402026-05-31

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates cognis-executor (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi cognis-executor==0.9.0
Start free — 25 scans / moView full evidence