PkgRadar

npm · registry.npmjs.org

@storybook/builder-vite

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 0.0.0-pr-34837-sha-ef2a6413

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/index.js

Scanned versions

VersionVerdictScoreScanned (UTC)
0.0.0-pr-35110-sha-d663f060Low risk02026-06-12
0.0.0-pr-35147-sha-6bc246feLow risk02026-06-12
0.0.0-pr-35109-sha-176296ffLow risk02026-06-12
0.0.0-pr-35110-sha-29d0b5a1Low risk02026-06-11
10.4.4Low risk02026-06-11
0.0.0-pr-34837-sha-5a29808eLow risk02026-06-11
0.0.0-pr-35110-sha-dbef892eLow risk02026-06-10
0.0.0-pr-35110-sha-53fe3e1cLow risk02026-06-10
0.0.0-pr-35125-sha-838d82b6Low risk02026-06-10
0.0.0-pr-35125-sha-eeb0bba2Low risk02026-06-10
0.0.0-pr-34837-sha-df272c83Low risk02026-06-10
10.5.0-alpha.6Low risk02026-06-10
10.4.3Low risk02026-06-09
0.0.0-pr-35115-sha-f9c23ce5Low risk02026-06-09
0.0.0-pr-35114-sha-17e6d055Low risk02026-06-09
0.0.0-pr-35048-sha-4dcfdcfdLow risk02026-06-09
0.0.0-pr-35101-sha-81c2838cLow risk02026-06-09
0.0.0-pr-34837-sha-24fd698eLow risk02026-06-09
0.0.0-pr-35078-sha-e5f7408fLow risk02026-06-06
10.5.0-alpha.5Low risk02026-06-05
0.0.0-pr-34837-sha-bef69a85Low risk02026-06-04
0.0.0-pr-35044-sha-4ef63dcfLow risk02026-06-04
0.0.0-pr-35050-sha-bd7a5628Low risk02026-06-04
0.0.0-pr-35048-sha-7c1a3349Low risk02026-06-04
0.0.0-pr-34953-sha-01ea9a40Low risk02026-06-04
0.0.0-pr-35051-sha-92d9e51aLow risk02026-06-04
0.0.0-pr-34202-sha-c1190794Low risk02026-06-03
0.0.0-pr-34202-sha-f7a9cb1bLow risk02026-06-03
0.0.0-pr-34202-sha-7c93a2e6Low risk02026-06-03
0.0.0-pr-34202-sha-9ccbc16fLow risk02026-06-03
0.0.0-pr-34953-sha-95f8d31dLow risk02026-06-03
10.5.0-alpha.4Low risk02026-06-02
0.0.0-pr-34953-sha-83c7bca8Low risk02026-06-02
0.0.0-pr-35009-sha-f04893a0Low risk02026-06-02
0.0.0-pr-34202-sha-9bc91288Low risk02026-06-01
0.0.0-pr-34976-sha-bf5dde0eLow risk02026-05-29
0.0.0-pr-34953-sha-28f97f41Low risk02026-05-29
0.0.0-pr-34202-sha-edbd40b4Low risk02026-05-29
0.0.0-pr-34202-sha-456c252bLow risk02026-05-29
0.0.0-pr-34953-sha-c061e099Low risk02026-05-29
0.0.0-pr-34837-sha-ef2a6413Review132026-05-29
0.0.0-pr-34926-sha-a0498164Review132026-05-28
0.0.0-pr-34953-sha-90d8fa9bReview132026-05-28
0.0.0-pr-34936-sha-8ab3ef66Review132026-05-28
0.0.0-pr-34837-sha-9c4ac020Review132026-05-28
0.0.0-pr-34202-sha-bc5dfdd6Low risk02026-05-28
0.0.0-pr-34936-sha-cf9b0ed4Low risk02026-05-27
0.0.0-pr-34890-sha-dad96b83Low risk02026-05-27
0.0.0-pr-34890-sha-4be9f903Low risk02026-05-27
0.0.0-pr-34890-sha-c4ba9bc2Low risk02026-05-26
0.0.0-pr-34890-sha-5048ee6eLow risk02026-05-26

Block this in CI

PkgRadar gates @storybook/builder-vite (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @storybook/[email protected]
Start free — 25 scans / moView full evidence