PkgRadar

npm · registry.npmjs.org

@replit/replbox

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Why PkgRadar flagged 2.17.0

SeveritySignalEvidence
highJs Split Join ObfuscationArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/coffeescript.js
highJs Split Join ObfuscationArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/html.js
highJs Split Join ObfuscationArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/javascript.js
highJs Split Join ObfuscationArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/roy.js
highJs Split Join ObfuscationArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/dist/web_project.js
mediumRemote Dependency SpecdevDependencies.apl="git+https://github.com/ngn/apl.git#cc314fe3be5f2d018d556b7e91916711e46d265e" · package.json
mediumRemote Dependency SpecdevDependencies.biwascheme="git+https://github.com/masad-frost/biwascheme.git#3c0d5a67cd1af696c69ab7fb085b2f42c8b0586c" · package.json

Scanned versions

VersionVerdictScoreScanned (UTC)
2.17.0High risk332026-06-20
2.18.0High risk332026-06-20
2.19.0High risk332026-06-20
2.20.0High risk332026-06-20

Block this in CI

PkgRadar gates @replit/replbox (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @replit/[email protected]
Start free — 25 scans / moView full evidence