PkgRadar

npm · registry.npmjs.org

@mescius/wijmo

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 5.20261.51-nightly.d20260528.t201413

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/es2015-commonjs.js
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/es2015-esm.js

Scanned versions

VersionVerdictScoreScanned (UTC)
5.20262.53-nightly.d20260612.t171109Low risk02026-06-12
5.20261.52-rcLow risk02026-06-12
5.20261.51-nightly.d20260612.t014144Low risk02026-06-12
5.20261.51-nightly.d20260611.t160617Low risk02026-06-11
5.20261.51-nightly.d20260611.t112051Low risk02026-06-11
5.20261.51-nightly.d20260611.t041520Low risk02026-06-11
5.20261.50Low risk02026-06-10
5.20261.51-nightly.d20260609.t200823Low risk02026-06-10
5.20261.51-nightly.d20260610.t201239Low risk02026-06-10
5.20261.51-nightly.d20260608.t204119Low risk02026-06-08
5.20261.51-nightly.d20260605.t195721Low risk02026-06-05
5.20261.51-nightly.d20260604.t195907Low risk02026-06-04
5.20261.51-nightly.d20260603.t195332Low risk02026-06-03
5.20261.51-nightly.d20260602.t202320Low risk02026-06-02
5.20261.51-nightly.d20260601.t200511Low risk02026-06-01
5.20261.51-nightly.d20260529.t201513Low risk02026-05-29
5.20261.51-nightly.d20260528.t201413Review252026-05-28
5.20261.51-nightly.d20260527.t205048Low risk02026-05-28
5.20261.51-nightly.d20260519.t174413Low risk02026-05-27
5.20261.51-nightly.d20260527.t011028Low risk02026-05-27

Block this in CI

PkgRadar gates @mescius/wijmo (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @mescius/[email protected]
Start free — 25 scans / moView full evidence