Package evidence
@balancy/[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 99Mature · −50% score
- First published
- Sep 2024
- Publisher
- mark-balancy
Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@balancy/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@balancy/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 25 · status changed
Evidence
Static findings
4 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/webview/balancy-webview.es.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/dist/webview/balancy-webview.umd.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
Show all 4 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/webview/balancy-webview.es.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| high | Js Split Join Obfuscation | package/dist/webview/balancy-webview.umd.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| low | Large Javascript Payload | package/dist/index.umd.js | 2177928 bytes | 0 |
| low | Large Javascript Payload | package/dist/index.mjs | 2022645 bytes | 0 |
Manifest
Package metadata
Scripts11
buildnpm run build:core && npm run build:webviewbuild:corevite buildbuild:localnpm run build:core && npm run build:webview:localbuild:webviewvite build --config vite.config.webview.ts && npm run copy:webview:safebuild:webview:localvite build --config vite.config.webview.ts && npm run copy:webview:forcebuild:webview:watchvite build --config vite.config.webview.ts --watchcopy:webview:forcenode -e "const fs=require('fs'),p=require('path'),d=p.resolve(__dirname,'../../../plugin_cpp_unity/Assets/Balancy/WebView/Resources/WebGL');fs.copyFileSync('dist/webview/balancy-webview.umd.js',p.join(d,'balancy-webview.umd.js'));fs.copyFileSync('dist/webview/balancy-webview.umd.js.map',p.join(d,'balancy-webview.umd.js.map'));console.log('WebView bundle copied to Unity Balancy package')"copy:webview:safenode -e "if (process.env.CI !== 'true') require('child_process').execSync('npm run copy:webview:force', {stdio: 'inherit'})"publish:latestnpm publish --tag latest --access publicpublish:nextnpm publish --tag next --access publicstartvite build --watch
Dependencies5
@balancy/wasm~1.6.21@types/jszip^3.4.0jszip^3.10.1reflect-metadata^0.2.2socket.io-client^4.7.5