PkgRadar

PyPI · pypi.org

nemo-retriever

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 2026.6.13.dev120

SeveritySignalEvidence
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · nemo_retriever-2026.6.13.dev120/src/nemo_retriever/harness/portal/app.py

Scanned versions

VersionVerdictScoreScanned (UTC)
2026.6.13.dev120High risk382026-06-13
2026.6.13.dev570High risk382026-06-13
2026.6.12.dev119High risk382026-06-12
2026.6.12.dev569High risk382026-06-12
2026.6.11.dev118High risk382026-06-11
2026.6.9.dev117High risk382026-06-10
2026.6.8.dev116High risk382026-06-08
2026.6.8.dev565High risk382026-06-08
2026.6.8.dev564High risk382026-06-08
2026.6.7.dev115High risk382026-06-07
2026.6.6.dev114High risk382026-06-06
2026.6.5.dev113High risk382026-06-05
2026.6.4.dev112High risk382026-06-04
2026.6.4.dev111High risk382026-06-04
2026.6.3.dev110High risk382026-06-03
2026.6.1.dev109High risk382026-06-01
2026.5.31.dev108High risk382026-05-31
2026.5.30.dev107High risk382026-05-30
2026.5.29.dev106High risk382026-05-30
26.5.0High risk382026-05-30
26.5rc9High risk382026-05-30
2026.5.28.dev105High risk382026-05-30
26.5rc8High risk382026-05-30
26.5rc7High risk382026-05-30
2026.5.27.dev104High risk382026-05-30
26.5rc6High risk382026-05-30
26.5rc5High risk382026-05-30
2026.5.26.dev103High risk382026-05-30

Block this in CI

PkgRadar gates nemo-retriever (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi nemo-retriever==2026.6.13.dev120
Start free — 25 scans / moView full evidence