npm · registry.npmjs.org
@fmsim/fmsim
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Why PkgRadar flagged 0.0.101
| Severity | Signal | Evidence |
|---|---|---|
| high | Js Split Join Obfuscation | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist-app/fmsim/auth/activate.js |
| high | Js Split Join Obfuscation | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist-app/fmsim/auth/checkin.js |
| high | Js Split Join Obfuscation | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist-app/fmsim/auth/signin.js |
| high | Js Split Join Obfuscation | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist-app/fmsim/auth/signup.js |
| medium | Remote Payload | matched "curl " · package/installer/install.sh |
| medium | Remote Payload | matched "curl " · package/installer/upgrade.sh |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
0.0.101 | Review | 37 | 2026-06-16 |
0.0.88 | Review | 37 | 2026-06-16 |
0.0.99 | Review | 37 | 2026-06-16 |
2.0.0-beta.87 | Low risk | 0 | 2026-06-16 |
2.0.0-beta.86 | Low risk | 0 | 2026-06-09 |
2.0.0-beta.85 | Low risk | 0 | 2026-06-03 |
2.0.0-beta.84 | Low risk | 0 | 2026-05-28 |
2.0.0-beta.83 | Low risk | 0 | 2026-05-26 |
2.0.0-beta.82 | Low risk | 0 | 2026-05-26 |
Block this in CI
pkgradar gate --ecosystem npm @fmsim/[email protected]