npm · registry.npmjs.org

@llmist/testing

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 18.0.0

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/index.cjs
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/index.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`18.2.0`	Low risk	0	2026-06-04
`18.1.0`	Low risk	0	2026-05-29
`18.0.0`	Review	50	2026-05-29
`17.5.0`	Low risk	0	2026-05-26
`17.6.0`	Low risk	0	2026-05-26

Block this in CI

PkgRadar gates @llmist/testing (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @llmist/[email protected]