PkgRadar

npm · registry.npmjs.org

@dcrays/dcgchat-test

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 0.5.40

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/index.js
mediumObfuscation Densityhigh encoded/escaped-token density · package/index.js

Scanned versions

VersionVerdictScoreScanned (UTC)
0.5.48Low risk02026-06-12
0.5.47Low risk02026-06-10
0.5.46Low risk02026-06-10
0.5.45Low risk02026-06-10
0.5.43Low risk02026-06-03
0.5.44Low risk02026-06-03
0.5.42Low risk02026-06-03
0.5.41Low risk02026-06-03
0.5.40Review572026-05-28
0.5.39Review572026-05-28
0.5.36Low risk02026-05-28

Block this in CI

PkgRadar gates @dcrays/dcgchat-test (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @dcrays/[email protected]
Start free — 25 scans / moView full evidence