PkgRadar

Package evidence

@formbird/[email protected]

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
643
Versions published
252Mature · −50% score
First published
Apr 2020
Publisher
benjie.penol

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@formbird/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@formbird/[email protected]"],"fail_on":"review"}'
Publisherbenjie.penol
Artifact bytes26,184,590
Previous version7.5.42
Published2026-05-05T03:37:41.088Z
SHA-2565c3ce51739662a92983bc52bcf93c68ca46a42ba75165b11774d47643f717156

Why flagged

What the scanner saw

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

1 remote tarball(s) were followed statically.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
33Score
7.5.43Version
Status history (1 event)
  1. newavailable · risk review · score 33 · status changed

Evidence

Static findings

7 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Decode Then Execpackage/dist/sc-thumbnail/main.jsbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.45
highRemote Dependency Specpackage.jsondependencies.daypilot-pro-angular="https://npm.daypilot.org/daypilot-pro-angular/2tt2wiswfjfxhcpucen75wu7b4/2022.4.5442.tar.gz"12
mediumLarge Javascript Payloadpackage/dist/mapping-components/main.js3011815 bytes10
mediumLarge Javascript Payloadpackage/dist/sc-components/main.js4803459 bytes10
mediumLarge Javascript Payloadpackage/dist/sc-markdown/main.js2304022 bytes10
mediumLarge Javascript Payloadpackage/dist/sc-note-comment/main.js3912133 bytes10
Show all 7 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Decode Then Execpackage/dist/sc-thumbnail/main.jsbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.45
highRemote Dependency Specpackage.jsondependencies.daypilot-pro-angular="https://npm.daypilot.org/daypilot-pro-angular/2tt2wiswfjfxhcpucen75wu7b4/2022.4.5442.tar.gz"12
mediumLarge Javascript Payloadpackage/dist/mapping-components/main.js3011815 bytes10
mediumLarge Javascript Payloadpackage/dist/sc-components/main.js4803459 bytes10
mediumLarge Javascript Payloadpackage/dist/sc-markdown/main.js2304022 bytes10
mediumLarge Javascript Payloadpackage/dist/sc-note-comment/main.js3912133 bytes10
lowInstall-time lifecycle scriptpackage.jsonpostinstall="ngcc"5

Remote payloads

Followed remote artifacts

SourceURLRiskScoreSummary
dependencies.daypilot-pro-angularhttps://npm.daypilot.org/daypilot-pro-angular/2tt2wiswfjfxhcpucen75wu7b4/2022.4.5442.tar.gzreview10large_javascript_payload: 5046726 bytes

Manifest

Package metadata

Scripts28
  • analyze:compwebpack-bundle-analyzer -m static dist/sc-components/stats.json
  • analyze:textboxwebpack-bundle-analyzer -m static dist/sc-text-box/stats.json
  • buildng build
  • build:compyarn build:formbird && ng build sc-components
  • build:formbirdrm -rf dist && ng build formbird-services && ng build formbird-sc-shared && ng build formbird-mapping && ng build mapping-components
  • build:notecommentyarn build:formbird && ng build sc-note-comment --stats-json --configuration production
  • build:prod:compyarn build:formbird && ng build sc-components --configuration production
  • build:textboxyarn build:formbird && ng build sc-text-box --stats-json --configuration production
  • clean:targetrm -rf ../fieldtec-web/server/public/vendor/custom-component-modules/sc-components
  • copy:compyarn copy:sc-comp && cp -R components/ ../fieldtec-web/server/public/vendor/custom-component-modules/sc-components
  • copy:sc-compcp -R dist/sc-components ../fieldtec-web/server/public/vendor/custom-component-modules
  • deploy-watchgulp deploy-watch
  • deploy:compyarn build:comp && yarn clean:target && yarn copy:comp
  • deploy:notecommentyarn build:notecomment && yarn clean:target && cp -R dist/sc-note-comment ../fieldtec-web/server/public/vendor/custom-component-modules/sc-components
  • deploy:plain-componentsnpx lerna run deploy
  • deploy:prod:compyarn build:prod:comp && yarn clean:target && yarn copy:comp
  • deploy:textboxyarn build:textbox && yarn clean:target && cp -R dist/sc-text-box ../fieldtec-web/server/public/vendor/custom-component-modules/sc-components
  • distgulp dist
  • e2eng e2e
  • install-allcp -R dist/* ../fieldtec-web/server/public/vendor/custom-component-modules/dist
  • lintng lint
  • ngng
  • postinstallngcc
  • scp-deploy-menung build sc-menu && scp -r dist/sc-menu/* [email protected]:/var/www/components/dev/m18180/v2
  • scp-deploy-pdfng build sc-pdf && scp -r dist/sc-pdf/* [email protected]:/var/www/components/dev/m19904/
  • scp-deploy-thumbnailng build sc-thumbnail --configuration production && scp -r dist/sc-thumbnail/* [email protected]:/var/www/components/dev/m19917/v1
  • servegulp serve
  • testng test
Dependencies93
  • @angular-devkit/build-ng-packagr^0.1002.0
  • @angular/animations13.0.1
  • @angular/cdk13.0.1
  • @angular/common13.0.1
  • @angular/compiler13.0.1
  • @angular/core13.0.1
  • @angular/elements13.0.1
  • @angular/forms13.0.1
  • @angular/localize13.0.1
  • @angular/material13.0.1
  • @angular/platform-browser13.0.1
  • @angular/platform-browser-dynamic13.0.1
  • @angular/router13.0.1
  • @formbird/angular-shared4.1.64
  • @formbird/guh-md^0.1.17
  • @formbird/services4.1.64
  • @formbird/shared4.1.64
  • @formbird/styles4.2.23
  • @formbird/types4.1.92
  • @googlemaps/markerclusterer^2.0.15
  • @ng-select/ng-select8.1.1
  • @opentok/client^2.18.0
  • @types/ace-diff^2.1.1
  • @types/c3^0.7.4
  • @types/elasticsearch^5.0.40
  • @types/geojson7946.0.7
  • @types/jquery^3.3.38
  • @types/openlayers4.6.17
  • @videogular/ngx-videogular5.0.1
  • ace-builds^1.4.14
  • …and 63 more.