PyPI · pypi.org

openaca

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 0.1.0

Severity	Signal	Evidence
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · openaca-0.1.0/tools/parsers/__init__.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · openaca-0.1.0/tools/parsers/bun_lock.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · openaca-0.1.0/tools/parsers/claude_install.py
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · openaca-0.1.0/tools/parsers/mcp_json.py
medium	Remote Payload	matched "curl " · openaca-0.1.0/deploy/remote/intune-macos.sh
medium	Remote Payload	matched "curl " · openaca-0.1.0/deploy/remote/jamf.sh
medium	Remote Payload	matched "curl " · openaca-0.1.0/deploy/remote/kandji.sh

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.1.0`	High risk	86	2026-06-12
`0.1.0b8`	High risk	86	2026-06-09
`0.1.0b7`	High risk	86	2026-06-09
`0.1.0b6`	High risk	36	2026-06-03

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates openaca (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi openaca==0.1.0