PkgRadar

npm · registry.npmjs.org

@zapminds/mcp

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Why PkgRadar flagged 2.0.0

SeveritySignalEvidence
highJs Decode Then Execbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/dist/index.js
mediumObfuscation Densityhigh encoded/escaped-token density · package/dist/index.js

Scanned versions

VersionVerdictScoreScanned (UTC)
2.0.3Low risk02026-06-11
2.0.2Low risk02026-06-11
2.0.0Review572026-05-28
2.0.1Review572026-05-28

Block this in CI

PkgRadar gates @zapminds/mcp (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem npm @zapminds/[email protected]
Start free — 25 scans / moView full evidence
@zapminds/mcp — npm security scan | PkgRadar