PyPI · pypi.org

topos-node

Py Runtime Base64 Decode: base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern.

Why PkgRadar flagged 0.1.15

Severity	Signal	Evidence
high	Py Runtime Base64 Decode	base64/hex decode combined with exec/subprocess — classic obfuscated payload pattern. · topos_node-0.1.15/topos/ingestion/sources/signal_reader.py

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.1.15`	High risk	30	2026-06-16
`0.1.14`	High risk	30	2026-06-16
`0.1.13`	High risk	30	2026-06-10
`0.1.12`	High risk	30	2026-06-09
`0.1.11`	High risk	30	2026-06-09
`0.1.10`	High risk	30	2026-06-09
`0.1.9`	High risk	30	2026-06-04
`0.1.8`	High risk	30	2026-06-04
`0.1.7`	High risk	30	2026-06-01
`0.1.6`	High risk	30	2026-06-01
`0.1.5`	High risk	30	2026-06-01
`0.1.4`	High risk	30	2026-06-01
`0.1.3`	High risk	30	2026-06-01
`0.1.2`	High risk	30	2026-06-01
`0.1.1`	High risk	30	2026-06-01
`0.1.0`	High risk	30	2026-06-01

Block this in CI

PkgRadar gates topos-node (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem pypi topos-node==0.1.15