npm · registry.npmjs.org

@dyyz1993/xbrowser

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 0.13.2

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/cli.js
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/daemon-main.js
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/index.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`0.13.2`	Review	35	2026-05-29
`0.14.0`	Review	35	2026-05-29

Block this in CI

PkgRadar gates @dyyz1993/xbrowser (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @dyyz1993/[email protected]