PkgRadar

PyPI · pypi.org

medusa-security

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 2026.6.0

SeveritySignalEvidence
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · medusa_security-2026.6.0/medusa/scanners/trivy_scanner.py
highDNS / OAST exfiltrationmatched "burpcollaborator.net" · medusa_security-2026.6.0/medusa/rules/agent_security/exfiltration_agents_2026.yaml
mediumCredential file accessmatched "id_rsa" · medusa_security-2026.6.0/medusa/scanners/mcp_server_scanner.py

Scanned versions

VersionVerdictScoreScanned (UTC)
2026.6.0High risk1092026-06-10
2026.5.11High risk772026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates medusa-security (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi medusa-security==2026.6.0
Start free — 25 scans / moView full evidence