npm · registry.npmjs.org

@sentio/runtime

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 3.9.0-rc.12

Severity	Signal	Evidence
high	Js Decode Then Exec	base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/lib/chunk-EXIISBRV.js

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.0.0-rc.3`	Low risk	0	2026-06-11
`4.0.0-rc.2`	Low risk	0	2026-06-10
`2.62.0-rc.16`	Low risk	0	2026-06-10
`2.62.0-rc.13`	Low risk	0	2026-06-10
`2.62.0-rc.14`	Low risk	0	2026-06-10
`2.63.1`	Low risk	0	2026-06-05
`3.8.1`	Low risk	0	2026-06-05
`3.8.1-rc3.1`	Low risk	0	2026-06-04
`2.63.1-rc2.1`	Low risk	0	2026-06-04
`3.8.0`	Low risk	0	2026-06-03
`2.63.0`	Low risk	0	2026-06-03
`3.8.0-rc3.4`	Low risk	0	2026-06-03
`2.63.0-rc2.3`	Low risk	0	2026-06-03
`2.63.0-rc2.1`	Low risk	0	2026-06-02
`2.63.0-rc2.2`	Low risk	0	2026-06-02
`3.8.0-rc3.3`	Low risk	0	2026-06-02
`3.8.0-rc3.2`	Low risk	0	2026-06-02
`3.8.0-rc3.1`	Low risk	0	2026-06-02
`4.0.0-rc.1`	Low risk	0	2026-06-02
`3.9.0-rc.14`	Low risk	0	2026-06-01
`3.9.0-rc.13`	Low risk	0	2026-05-30
`3.9.0-rc.12`	Review	13	2026-05-29
`3.9.0-rc.11`	Review	13	2026-05-29
`3.9.0-rc.10`	Review	13	2026-05-29
`3.9.0-rc.8`	Review	13	2026-05-28
`3.9.0-rc.9`	Review	13	2026-05-28
`3.9.0-rc.6`	Review	16	2026-05-28
`3.9.0-rc.7`	Review	16	2026-05-28

Block this in CI

PkgRadar gates @sentio/runtime (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @sentio/[email protected]