PkgRadar

npm · registry.npmjs.org

@flui-cloud/cli

Js Decode Then Exec: base64 / atob / fromCharCode decode adjacent to eval / new Function — canonical obfuscated-loader pattern.

Why PkgRadar flagged 0.0.1

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode adjacent to eval / new Function — canonical obfuscated-loader pattern. · package/lib/cli/src/commands/auth/reset-password.js
mediumRemote Payloadmatched "raw.githubusercontent.com" · package/lib/cli/src/lib/template-fetcher.js
mediumCredential file accessmatched "id_rsa" · package/lib/cli/src/services/cli-ssh.service.js
mediumCredential file accessmatched ".ssh/" · package/lib/cli/src/commands/standalone/install.js

Scanned versions

VersionVerdictScoreScanned (UTC)
0.0.1Review802026-06-06
0.1.0Review802026-06-06

Block this in CI

PkgRadar gates @flui-cloud/cli (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @flui-cloud/[email protected]
Start free — 25 scans / moView full evidence