PkgRadar

PyPI · pypi.org

orchestr8-platform

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 3.3.2

SeveritySignalEvidence
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · orchestr8/cli.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · orchestr8/auth/keycloak_idp.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · orchestr8/commands/argocd.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · orchestr8/core/orchestrator.py
mediumCredential file accessmatched "GOOGLE_APPLICATION_CREDENTIALS" · orchestr8/commands/secrets.py

Scanned versions

VersionVerdictScoreScanned (UTC)
3.3.2High risk452026-06-07

Block this in CI

PkgRadar gates orchestr8-platform (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi orchestr8-platform==3.3.2
Start free — 25 scans / moView full evidence