PkgRadar

PyPI · pypi.org

praisonai

Py Install Time Subprocess: subprocess call — process spawning.

Why PkgRadar flagged 4.6.58

SeveritySignalEvidence
mediumPy Install Time Subprocesssubprocess call — process spawning. · praisonai-4.6.58/praisonai/cli/commands/setup.py
mediumPy Install Time Subprocesssubprocess call — process spawning. · praisonai-4.6.58/praisonai/setup.py
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · praisonai-4.6.58/praisonai/cli/features/mcp.py
mediumPy Import Time Subprocesssubprocess call — process spawning. · praisonai-4.6.58/praisonai/flow/__init__.py
highPy Runtime Base64 Decodebase64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · praisonai-4.6.58/praisonai/browser/cli.py
mediumCredential file accessmatched "GOOGLE_APPLICATION_CREDENTIALS" · praisonai-4.6.58/praisonai/persistence/state/firestore.py

Scanned versions

VersionVerdictScoreScanned (UTC)
4.6.58High risk962026-06-13
4.6.57High risk962026-06-13
4.6.56High risk962026-06-12
4.6.55High risk962026-06-12
4.6.54High risk962026-06-12
4.6.53High risk962026-06-12
4.6.52High risk762026-06-03
4.6.51High risk762026-06-02
4.6.50High risk762026-06-02
4.6.48High risk762026-05-30
4.6.47High risk762026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates praisonai (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi praisonai==4.6.58
Start free — 25 scans / moView full evidence
praisonai — PyPI security scan | PkgRadar