PkgRadar

PyPI · pypi.org

feral-ai

Webhook Exfil Endpoint: matched "api.telegram.org/bot"

Why PkgRadar flagged 2026.6.10

SeveritySignalEvidence
highWebhook Exfil Endpointmatched "api.telegram.org/bot" · feral_ai-2026.6.10/security/probe.py
highPy Runtime Dynamic Dangerous ImportDynamic __import__('subprocess') — reflection bypass for static checks. · feral_ai-2026.6.10/cli/main.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · feral_ai-2026.6.10/skills/impl/browser_use.py
mediumCredential file accessmatched "AWS_ACCESS_KEY" · feral_ai-2026.6.10/config/loader.py

Scanned versions

VersionVerdictScoreScanned (UTC)
2026.6.10High risk1452026-06-12
2026.6.9High risk1452026-06-08
2026.6.8High risk1452026-06-07
2026.6.7High risk1452026-06-07
2026.6.6High risk1452026-06-07
2026.6.5High risk1452026-06-06
2026.6.4High risk1452026-06-03
2026.6.3High risk1452026-06-01
2026.6.2High risk1452026-06-01
2026.6.1High risk1452026-05-31
2026.5.49High risk1452026-05-30
2026.5.48High risk1452026-05-30
2026.5.47High risk1452026-05-30
2026.5.46High risk1452026-05-30
2026.5.45High risk1452026-05-30
2026.5.44High risk1452026-05-30
2026.5.43High risk1452026-05-30
2026.5.42High risk1452026-05-30

Block this in CI

PkgRadar gates feral-ai (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi feral-ai==2026.6.10
Start free — 25 scans / moView full evidence