npm · registry.npmjs.org

@formbird/angular-elements

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 7.5.43

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/sc-thumbnail/main.js
high	Remote Dependency Spec	dependencies.daypilot-pro-angular="https://npm.daypilot.org/daypilot-pro-angular/2tt2wiswfjfxhcpucen75wu7b4/2022.4.5442.tar.gz" · package.json
medium	Large Javascript Payload	3011815 bytes · package/dist/mapping-components/main.js
medium	Large Javascript Payload	4803459 bytes · package/dist/sc-components/main.js
medium	Large Javascript Payload	2304022 bytes · package/dist/sc-markdown/main.js
medium	Large Javascript Payload	3912133 bytes · package/dist/sc-note-comment/main.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`7.5.43`	Review	33	2026-05-28
`8.5.5`	Review	37	2026-05-28

Block this in CI

PkgRadar gates @formbird/angular-elements (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @formbird/[email protected]