PkgRadar

npm · registry.npmjs.org

@workflow/next

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 4.0.6

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/builder-deferred.js

Scanned versions

VersionVerdictScoreScanned (UTC)
5.0.0-beta.17Low risk02026-06-15
5.0.0-beta.16Low risk02026-06-15
4.0.11Low risk02026-06-15
5.0.0-beta.15Low risk02026-06-12
5.0.0-beta.14Low risk02026-06-11
4.0.10Low risk02026-06-11
5.0.0-beta.13Low risk02026-06-09
5.0.0-beta.12Low risk02026-06-04
5.0.0-beta.11Low risk02026-06-02
4.0.9Low risk02026-06-02
4.0.7Low risk02026-06-02
4.0.8Low risk02026-06-02
5.0.0-beta.10Low risk02026-05-29
5.0.0-beta.9Low risk02026-05-29
4.0.6Review132026-05-28
5.0.0-beta.8Review132026-05-28

Block this in CI

PkgRadar gates @workflow/next (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @workflow/[email protected]
Start free — 25 scans / moView full evidence