PkgRadar

npm · registry.npmjs.org

@cline/shared

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 0.0.42-nightly.1779938293

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/index.js
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/remote-config/index.js

Scanned versions

VersionVerdictScoreScanned (UTC)
0.0.48-nightly.1781666345Low risk02026-06-17
0.0.49Low risk02026-06-17
0.0.48Low risk02026-06-17
0.0.47-nightly.1781580004Low risk02026-06-16
0.0.47-nightly.1781493618Low risk02026-06-15
0.0.47-nightly.1781320576Low risk02026-06-13
0.0.47Low risk02026-06-11
0.0.46-nightly.1781061443Low risk02026-06-11
0.0.46-nightly.1781147825Low risk02026-06-11
0.0.46Low risk02026-06-10
0.0.45Low risk02026-06-09
0.0.44Low risk02026-06-09
0.0.43-nightly.1780975055Low risk02026-06-09
0.0.43-nightly.1780802275Low risk02026-06-07
0.0.43-nightly.1780715752Low risk02026-06-06
0.0.43-nightly.1780629505Low risk02026-06-05
0.0.43Low risk02026-06-04
0.0.42-nightly.1780514867Low risk02026-06-03
0.0.42-nightly.1780456864Low risk02026-06-03
0.0.42-nightly.1780370445Low risk02026-06-02
0.0.42-nightly.1780110921Low risk02026-05-30
0.0.42-nightly.1779938293Review152026-05-28
0.0.42-nightly.1779851892Review32026-05-27
0.0.42-nightly.1779506103Review32026-05-26
0.0.42-nightly.1779765362Review32026-05-26

Block this in CI

PkgRadar gates @cline/shared (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @cline/[email protected]
Start free — 25 scans / moView full evidence