npm · registry.npmjs.org

@qratilabs/qrati-connect

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 2.22.1-beta.4

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/react/hJHNlhdp-CzKPaGH-.js
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/react/hJHNlhdp-HL36r6jO.js
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/element/hJHNlhdp.js
medium	Large Javascript Payload	6694573 bytes · package/umd/web.umd.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`2.22.1-beta.4`	Review	18	2026-05-28
`2.22.4`	Review	18	2026-05-28
`2.22.1-beta.1`	Review	18	2026-05-28
`2.22.1`	Review	18	2026-05-28
`2.22.0-beta.2`	Review	3	2026-05-27
`2.22.0-beta.3`	Review	3	2026-05-27

Block this in CI

PkgRadar gates @qratilabs/qrati-connect (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @qratilabs/[email protected]