PkgRadar

PyPI · pypi.org

nexus-fab

Py Import Time Eval Exec: Python eval()/exec() called on a string.

Why PkgRadar flagged 0.1.0

SeveritySignalEvidence
mediumPy Import Time Eval ExecPython eval()/exec() called on a string. · nexus_fab-0.1.0/src/mal_py/__init__.py
mediumPy Import Time Pickle Loadspickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled. · nexus_fab-0.1.0/src/mal_py/__init__.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.1.0Review482026-06-08

Block this in CI

PkgRadar gates nexus-fab (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi nexus-fab==0.1.0
Start free — 25 scans / moView full evidence