PkgRadar

PyPI · pypi.org

sunglasses

Python Bun Js Exec: Python file references the Bun JavaScript runtime — cross-language execution

Why PkgRadar flagged 0.2.65

SeveritySignalEvidence
highPython Bun Js ExecPython file references the Bun JavaScript runtime — cross-language execution · sunglasses-0.2.65/sunglasses/patterns.py
highWebhook Exfil Endpointmatched "webhook.site" · sunglasses-0.2.65/sunglasses/patterns.py

Scanned versions

VersionVerdictScoreScanned (UTC)
0.2.67Review542026-06-15
0.2.66Review512026-06-11
0.2.65High risk1362026-06-10
0.2.64High risk962026-06-10
0.2.63High risk962026-06-08
0.2.62High risk962026-06-07
0.2.61High risk872026-06-06
0.2.60High risk872026-06-05
0.2.59High risk872026-06-04
0.2.58High risk872026-06-03
0.2.57High risk872026-06-02
0.2.56High risk872026-05-31
0.2.55High risk872026-05-31
0.2.54High risk872026-05-30
0.2.53High risk872026-05-30
0.2.52High risk872026-05-30
0.2.51High risk872026-05-30

Campaign attribution

Part of the Shai-Hulud (PyPI) campaign.

Block this in CI

PkgRadar gates sunglasses (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi sunglasses==0.2.65
Start free — 25 scans / moView full evidence