npm · registry.npmjs.org
bitmovin-player
Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.
Why PkgRadar flagged 8.261.0-beta.0
| Severity | Signal | Evidence |
|---|---|---|
| high | Js Decode Then Exec | base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/modules/bitmovinplayer-core.js |
| high | Js Decode Then Exec | base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. · package/modules/bitmovinplayer-core.prod.js |
| medium | Large Javascript Payload | 2341899 bytes · package/bitmovinplayer.js |
| medium | Large Javascript Payload | 2250984 bytes · package/bitmovinplayer.prod.js |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
8.263.0 | Low risk | 0 | 2026-06-16 |
8.263.0-rc.0 | Low risk | 0 | 2026-06-16 |
8.138.0-alpha.9 | Low risk | 0 | 2026-06-15 |
8.263.0-alpha.0 | Low risk | 0 | 2026-06-15 |
8.261.1-alpha.7 | Low risk | 0 | 2026-06-08 |
8.261.1-alpha.6 | Low risk | 0 | 2026-06-08 |
8.261.1-alpha.5 | Low risk | 0 | 2026-06-08 |
8.261.1-alpha.4 | Low risk | 0 | 2026-06-08 |
8.262.0 | Low risk | 0 | 2026-06-08 |
8.261.1-alpha.3 | Low risk | 0 | 2026-06-08 |
8.262.0-rc.0 | Low risk | 0 | 2026-06-08 |
8.261.1-alpha.2 | Low risk | 0 | 2026-06-08 |
8.261.1-alpha.1 | Low risk | 0 | 2026-06-08 |
8.261.1-alpha.0 | Low risk | 0 | 2026-06-02 |
8.262.0-beta.0 | Low risk | 0 | 2026-06-01 |
8.261.0 | Low risk | 0 | 2026-06-01 |
8.261.0-rc.0 | Low risk | 0 | 2026-06-01 |
8.261.0-beta.0 | Review | 21 | 2026-05-28 |
8.260.0-rc.0 | Review | 6 | 2026-05-26 |
8.260.0 | Review | 6 | 2026-05-26 |
Block this in CI
pkgradar gate --ecosystem npm [email protected]