PkgRadar

PyPI · pypi.org

nexu

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 0.5.23

SeveritySignalEvidence
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · nexu-0.5.23/src/nexu/cinema_project_imports.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.5.23High risk302026-06-01
0.5.22High risk302026-06-01
0.5.21High risk302026-06-01
0.5.20High risk302026-05-31
0.5.19High risk302026-05-31
0.5.18Low risk02026-05-31
0.5.17Low risk02026-05-31
0.5.16Low risk02026-05-31
0.5.14Low risk02026-05-31
0.5.15Low risk02026-05-31
0.5.13Low risk02026-05-31
0.5.12Low risk02026-05-31
0.5.11Low risk02026-05-31
0.5.10Low risk02026-05-31
0.5.9Low risk02026-05-31
0.5.8Low risk02026-05-31
0.5.7Low risk02026-05-31
0.5.6Low risk02026-05-31
0.5.5Low risk02026-05-31
0.5.4Low risk02026-05-30
0.5.3Low risk02026-05-30
0.5.2Low risk02026-05-30
0.5.1Low risk02026-05-30
0.2.6Low risk02026-05-29
0.2.5Low risk02026-05-29

Block this in CI

PkgRadar gates nexu (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi nexu==0.5.23
Start free — 25 scans / moView full evidence