npm · registry.npmjs.org

@dcl/scene-runtime

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 7.0.6-20240220184109.commit-cf1e4e2

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/sdk6-webworker.js
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/sdk7-webworker.js
medium	Large Javascript Payload	2795165 bytes · package/dist/sdk6-webworker.dev.js
medium	Large Javascript Payload	2848732 bytes · package/dist/sdk7-webworker.dev.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`7.0.6-20240220184109.commit-cf1e4e2`	Review	35	2026-05-28
`7.0.6-20240515153908.commit-adbf9e7`	Review	35	2026-05-28

Block this in CI

PkgRadar gates @dcl/scene-runtime (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @dcl/[email protected]