PkgRadar

npm · registry.npmjs.org

@kne-components/components-core

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 0.4.72

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/build/static/js/6351.a1c97c9b.chunk.js
mediumObfuscation Densityhigh encoded/escaped-token density · package/build/static/js/2833.9ab90527.chunk.js
mediumObfuscation Densityhigh encoded/escaped-token density · package/build/static/js/4965.2167f384.chunk.js
mediumObfuscation Densityhigh encoded/escaped-token density · package/build/static/js/7591.e5252eff.chunk.js
mediumObfuscation Densityhigh encoded/escaped-token density · package/build/static/js/7901.efe08627.chunk.js
mediumLarge Javascript Payload4404908 bytes · package/build/static/js/2488.61fab196.chunk.js

Scanned versions

VersionVerdictScoreScanned (UTC)
0.5.0Low risk02026-06-04
0.4.75Low risk02026-06-02
0.4.74Low risk02026-06-01
0.4.72Review512026-05-28
0.4.73Review512026-05-28

Block this in CI

PkgRadar gates @kne-components/components-core (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @kne-components/[email protected]
Start free — 25 scans / moView full evidence