PyPI · pypi.org

nemo-gym

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 0.3.0

Severity	Signal	Evidence
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · nemo_gym-0.3.0/resources_servers/swerl_gen/eval/eval_instance.py
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · nemo_gym-0.3.0/resources_servers/swerl_gen/eval/singularity_utils.py
medium	Remote Payload	matched "curl " · nemo_gym-0.3.0/responses_api_agents/swe_agents/setup_scripts/openhands.sh
medium	Remote Payload	matched "curl " · nemo_gym-0.3.0/responses_api_agents/swe_agents/setup_scripts/r2e_gym.sh
medium	Remote Payload	matched "curl " · nemo_gym-0.3.0/responses_api_agents/swe_agents/setup_scripts/swebench.sh
medium	Remote Payload	matched "curl " · nemo_gym-0.3.0/responses_api_agents/swe_agents/setup_scripts/swebench_multilingual.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.3.0`	High risk	98	2026-06-04
`0.3.1`	High risk	98	2026-06-04

Block this in CI

PkgRadar gates nemo-gym (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi nemo-gym==0.3.0