PkgRadar

PyPI · pypi.org

meshagent-cli

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 0.44.11

SeveritySignalEvidence
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · meshagent_cli-0.44.11/meshagent/cli/tui/setup_splash_frames.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · meshagent_cli-0.44.11/meshagent/cli/ask.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.44.11High risk372026-06-11
0.44.10High risk172026-06-07
0.44.9High risk172026-06-07
0.44.8High risk172026-06-06
0.44.7High risk172026-06-06
0.44.6High risk172026-06-04
0.44.5High risk172026-06-04
0.44.4High risk172026-06-04
0.44.3High risk172026-06-03
0.44.2High risk172026-06-02
0.44.1High risk172026-06-02
0.44.0High risk172026-06-02
0.43.3High risk172026-05-30
0.43.2High risk172026-05-30
0.43.1High risk172026-05-30
0.43.0High risk172026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates meshagent-cli (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi meshagent-cli==0.44.11
Start free — 25 scans / moView full evidence