PkgRadar

PyPI · pypi.org

sh

Py Import Time Compile Exec: Python exec(compile(...)) — typical obfuscated loader pattern.

Why PkgRadar flagged 2.3.0

SeveritySignalEvidence
highPy Import Time Compile ExecPython exec(compile(...)) — typical obfuscated loader pattern. · sh-2.3.0/src/sh/__init__.py
highPy Import Time Os SystemDirect shell invocation via os.system / os.popen / os.exec*. · sh-2.3.0/src/sh/__init__.py

Scanned versions

VersionVerdictScoreScanned (UTC)
2.3.0High risk502026-06-09
2.2.6Low risk02026-06-08
2.2.5Low risk02026-06-07
2.2.4Low risk02026-06-06
2.2.3Low risk02026-06-05

Block this in CI

PkgRadar gates sh (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi sh==2.3.0
Start free — 25 scans / moView full evidence