npm · registry.npmjs.org
@ccrpc/tip
Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.
Why PkgRadar flagged 0.4.11
| Severity | Signal | Evidence |
|---|---|---|
| high | Js Decode Then Exec | base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/tip/p-4bb183a6.entry.js |
| high | Js Split Join Obfuscation | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/tip/p-b96f8cd6.js |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
0.4.11 | Review | 59 | 2026-05-28 |
0.4.12 | Review | 59 | 2026-05-28 |
Block this in CI
pkgradar gate --ecosystem npm @ccrpc/[email protected]