PkgRadar

PyPI · pypi.org

dreadnode

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 2.0.30

SeveritySignalEvidence
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · dreadnode-2.0.30/dreadnode/app/cli/task.py
highCredential file accessmatched "AWS_ACCESS_KEY" · dreadnode-2.0.30/dreadnode/transforms/competitive_parity.py
mediumRemote Payloadmatched "curl " · dreadnode-2.0.30/dreadnode/transforms/supply_chain.py
mediumCredential file accessmatched ".ssh/" · dreadnode-2.0.30/dreadnode/scorers/contains.py

Scanned versions

VersionVerdictScoreScanned (UTC)
2.0.30High risk512026-06-16
2.0.29High risk512026-06-12
2.0.28High risk312026-06-09
2.0.27High risk312026-05-30
2.0.26High risk312026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates dreadnode (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi dreadnode==2.0.30
Start free — 25 scans / moView full evidence
dreadnode — PyPI security scan | PkgRadar