npm · registry.npmjs.org

@blundergoat/gruff-ts

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Why PkgRadar flagged 0.4.0

Severity	Signal	Evidence
high	Js Split Join Obfuscation	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/src/test-fixtures.ts
high	Webhook Exfil Endpoint	matched "hooks.slack.com/services/" · package/src/test-fixtures.ts

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.4.0`	High risk	90	2026-06-10
`0.3.2`	High risk	90	2026-06-10
`0.3.1`	High risk	90	2026-06-10
`0.3.0`	High risk	90	2026-06-10
`0.2.0`	Review	20	2026-05-27
`0.1.0`	Review	136	2026-05-24
`0.1.1`	Review	136	2026-05-24

Related campaigns

js_split_join_obfuscation:array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. — 75 releases, max score 333
webhook_exfil_endpoint:matched "hooks.slack.com/services/" — 60 releases, max score 272

Block this in CI

PkgRadar gates @blundergoat/gruff-ts (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @blundergoat/[email protected]

Start free — 25 scans / mo View full evidence