PyPI · pypi.org

skyline-agent

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 0.1.12

Severity	Signal	Evidence
high	Python Bun Js Exec	Python file references the Bun JavaScript runtime — cross-language execution · skyline_requester/local_requester.py
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · skyline_requester/local_requester.py
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · skyline_shared/helper_security.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.1.12`	High risk	90	2026-06-17
`0.1.11`	High risk	50	2026-06-05
`0.1.10`	High risk	50	2026-06-02
`0.1.9`	High risk	50	2026-06-01
`0.1.8`	High risk	50	2026-06-01
`0.1.7`	High risk	50	2026-06-01

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates skyline-agent (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi skyline-agent==0.1.12