PkgRadar

npm · registry.npmjs.org

@ai-productivity-tracker/cli

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 1.1.0

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/cli.mjs
highJs Split Join ObfuscationArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/web/assets/element-plus-C9CaBDgF.js

Scanned versions

VersionVerdictScoreScanned (UTC)
1.1.0Review592026-05-29
1.0.0-rc.29Review592026-05-29
1.0.0-rc.28Review852026-05-29
1.0.0-rc.27Review592026-05-29
1.0.0-rc.26Review672026-05-28
1.0.0-rc.25Review672026-05-28
1.0.0-rc.23Review672026-05-28
1.0.0-rc.24Review672026-05-28
1.0.0-rc.21Low risk02026-05-27
1.0.0-rc.22Low risk02026-05-27
1.0.0-rc.19Low risk02026-05-27
1.0.0-rc.17Low risk02026-05-26
1.0.0-rc.18Low risk02026-05-26
1.0.0-rc.14Low risk02026-05-26
1.0.0-rc.15Low risk02026-05-26
1.0.0-rc.13Low risk02026-05-26
1.0.0-rc.11Low risk02026-05-25
1.0.0-rc.12Low risk02026-05-25
1.0.0-rc.10Low risk02026-05-25
1.0.0-rc.9Low risk02026-05-25
1.0.0-rc.8Review122026-05-25
1.0.0-rc.7Review242026-05-25
1.0.0-rc.6Review242026-05-25
1.0.0-rc.5Review242026-05-25
1.0.0-rc.4Review242026-05-25
1.0.0-rc.3Review242026-05-25
1.0.0-rc.2Review242026-05-25
1.0.0-rc.1Review242026-05-25

Block this in CI

PkgRadar gates @ai-productivity-tracker/cli (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @ai-productivity-tracker/[email protected]
Start free — 25 scans / moView full evidence