npm · registry.npmjs.org
omniroute
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Why PkgRadar flagged 3.2.8
| Severity | Signal | Evidence |
|---|---|---|
| high | Js Split Join Obfuscation | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. · package/app/open-sse/translator/request/claude-to-openai.ts |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/app/.next/server/chunks/[root-of-the-server]__3556b50d._.js |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/app/.next/server/chunks/[root-of-the-server]__7d4ca1be._.js |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/app/.next/server/chunks/[root-of-the-server]__e92f2f9b._.js |
| medium | Remote Payload | matched "github.com/FiloSottile/mkcert/releases/download" · package/app/node_modules/next/dist/lib/mkcert.js |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/app/.next/server/chunks/src_043440d8._.js |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/app/.next/server/chunks/src_b1460e01._.js |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/app/.next/server/chunks/src_lib_localDb_ts_4e493de9._.js |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/app/.next/server/chunks/ssr/src_lib_localDb_ts_658378c4._.js |
| medium | Remote Payload | matched "curl " · package/app/restart.sh |
| medium | Remote Payload | matched "raw.githubusercontent.com" · package/app/src/lib/pricingSync.ts |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
3.2.8 | High risk | 129 | 2026-06-03 |
Block this in CI
pkgradar gate --ecosystem npm [email protected]