Package evidence

@descope/[email protected]

Obfuscation Density: high encoded/escaped-token density

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@descope/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@descope/[email protected]"],"fail_on":"high"}'

Publisheromercnet

Artifact bytes7,886,494

Previous version3.11.5

Published2026-05-24T09:39:35.635Z

SHA-2565b26d7af83f97e497907975669b2d5941e8b43276c54263c9271ba8f2e9403a7

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

20d agoLast checked

highRisk

156Score

3.11.6Version

Status history (1 event)

new → available20d ago · risk high · score 156 · status changed

Related candidates

Linked campaigns and clusters

Publisher / release actor burststale

omercnet

5 members · evidence strength 84

Evidence

Static findings

34 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Obfuscation Density	package/dist/umd/2540.js	high encoded/escaped-token density	12
medium	Remote Payload	package/dist/umd/5780.js	matched "wget "	12
medium	Obfuscation Density	package/dist/umd/5780.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/umd/descope-user-passkeys.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/cjs/index.cjs.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/index.esm.js	high encoded/escaped-token density	12

Show all 34 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
medium	Obfuscation Density	package/dist/umd/2540.js	high encoded/escaped-token density	12
medium	Remote Payload	package/dist/umd/5780.js	matched "wget "	12
medium	Obfuscation Density	package/dist/umd/5780.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/umd/descope-user-passkeys.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/cjs/index.cjs.js	high encoded/escaped-token density	12
medium	Obfuscation Density	package/dist/index.esm.js	high encoded/escaped-token density	12
low	Obfuscation	package/dist/umd/2540.js	matched "\\x7F"	3
low	Obfuscation	package/dist/umd/5348.js	matched "fromCharCode"	3
low	Obfuscation	package/dist/umd/5414.js	matched "\\u00B7"	3
low	Obfuscation	package/dist/umd/5780.js	matched "FromCharCode"	3
low	Obfuscation	package/dist/umd/button-selection-group-fields-descope-button-selection-group-item-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-button.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-code-snippet-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-collapsible-container.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-date-field-descope-calendar-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-grid-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-icon.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-image.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-multi-line-mappings.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-outbound-app-button.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-outbound-apps.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-third-party-app-logo-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-timer-button.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-timer.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-trusted-devices.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-upload-file-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-user-attribute-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-user-auth-method-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/descope-user-passkeys.js	matched "atob("	3
low	Obfuscation	package/dist/cjs/index.cjs.js	matched "atob("	3
low	Obfuscation	package/dist/index.esm.js	matched "atob("	3
low	Obfuscation	package/dist/umd/mapping-fields-descope-mappings-field-index-js.js	matched "atob("	3
low	Obfuscation	package/dist/umd/mapping-fields-descope-saml-group-mappings-index-js.js	matched "atob("	3
low	Obfuscation	package/src/components/phone-fields/descope-phone-input-box-field/descope-phone-input-box-internal/PhoneFieldInternalInputBox.js	matched "eVal("	3

Manifest

Package metadata

Scripts26

buildnpm run build:umd && npm run build:lib && touch dist/index.d.ts
build-storybookstorybook build
build:librollup -c
build:umdwebpack -c webpack.prod.js
container:builddocker build -t descope-wcui-playwright-image .
container:debugMONOREPO_ROOT=$(git rev-parse --show-toplevel) && PROJECT_DIR=$(pwd) && PROJECT_RELATIVE_PATH=${PROJECT_DIR#$MONOREPO_ROOT/} && docker run --rm --network host -v $MONOREPO_ROOT:/work/ -w /work/$PROJECT_RELATIVE_PATH -it mcr.microsoft.com/playwright:v1.58.2-noble /bin/bash
e2enpm run e2e:container -- $(node ./scripts/printAffectedComponents) "$@"
e2e:containerMONOREPO_ROOT=$(git rev-parse --show-toplevel) && PROJECT_DIR=$(pwd) && PROJECT_RELATIVE_PATH=${PROJECT_DIR#$MONOREPO_ROOT/} && docker run --rm --network host -v $MONOREPO_ROOT:/work/ -w /work/$PROJECT_RELATIVE_PATH descope-wcui-playwright-image
e2e:container:updateSnapshotsnpm run e2e:container -- --update-snapshots=all
e2e:localplaywright test
e2e:local:uiplaywright test --ui
e2e:local:ui:debugPWDEBUG=1 npm run e2e:local:ui
formatprettier --ignore-path .gitignore --write .
format:allnpm run format .
linteslint --fix --max-warnings 100
lint-stagedlint-staged
lint:allnpm run lint .
prebuildrm -rf dist
pree2e:containerdocker build -t descope-wcui-playwright-image .
print-componentsnx show projects --projects 'packages/web-components/components/*'
print-components:affectednx show projects --projects 'packages/web-components/components/*' --affected
print-components:affected:cinx show projects --projects 'packages/web-components/components/*' --affected --base=origin/main
startwebpack serve -c webpack.dev.js --port=8888
storybookstorybook dev -p 6007 --quiet
storybook:noCspSTORYBOOK_NO_CSP=true npm run storybook
testjest

Dependencies52

@descope-ui/common3.11.6
@descope-ui/descope-address-field3.11.6
@descope-ui/descope-anchored3.11.6
@descope-ui/descope-apps-list3.11.6
@descope-ui/descope-attachment3.11.6
@descope-ui/descope-autocomplete-field3.11.6
@descope-ui/descope-avatar3.11.6
@descope-ui/descope-badge3.11.6
@descope-ui/descope-button3.11.6
@descope-ui/descope-collapsible-container3.11.6
@descope-ui/descope-combo-box3.11.6
@descope-ui/descope-country-subdivision-city-field3.11.6
@descope-ui/descope-enriched-text3.11.6
@descope-ui/descope-icon3.11.6
@descope-ui/descope-image3.11.6
@descope-ui/descope-link3.11.6
@descope-ui/descope-list3.11.6
@descope-ui/descope-list-item3.11.6
@descope-ui/descope-multi-line-mappings3.11.6
@descope-ui/descope-multi-select-combo-box3.11.6
@descope-ui/descope-outbound-app-button3.11.6
@descope-ui/descope-outbound-apps3.11.6
@descope-ui/descope-password-strength3.11.6
@descope-ui/descope-ponyhot3.11.6
@descope-ui/descope-recovery-codes3.11.6
@descope-ui/descope-text3.11.6
@descope-ui/descope-timer3.11.6
@descope-ui/descope-timer-button3.11.6
@descope-ui/descope-tooltip3.11.6
@descope-ui/descope-trusted-devices3.11.6
…and 22 more.