PyPI · pypi.org
picosentry
Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution
Why PkgRadar flagged 2.0.13
| Severity | Signal | Evidence |
|---|---|---|
| high | Python Bun Js Exec | Python file references the Bun JavaScript runtime — cross-language execution · picosentry/sandbox/cli_commands/_common.py |
| high | Python Bun Js Exec | Python file references the Bun JavaScript runtime — cross-language execution · picosentry/scan/rules/worm_propagation.py |
| high | Py Runtime Base64 Decode | base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · picosentry/scan/crypto.py |
| high | Credential file access | matched ".npmrc" · picosentry/scan/rules/post_install.py |
| high | Credential file access | matched ".pypirc" · picosentry/scan/rules/pypi_post_install.py |
| high | Py Runtime Dynamic Dangerous Import | Dynamic __import__('sys') — reflection bypass for static checks. · picosentry/watch/server.py |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
2.0.13 | High risk | 210 | 2026-06-13 |
2.0.9 | High risk | 160 | 2026-06-06 |
2.0.7 | High risk | 160 | 2026-06-06 |
2.0.2 | High risk | 160 | 2026-06-06 |
2.0.1 | High risk | 160 | 2026-06-06 |
1.0.1 | High risk | 75 | 2026-06-01 |
1.0.0 | High risk | 75 | 2026-06-01 |
0.16.0 | High risk | 70 | 2026-05-30 |
Block this in CI
pkgradar gate --ecosystem pypi picosentry==2.0.13