Package evidence

@orbit-software/[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 202
Versions published: 109Mature · −50% score
First published: May 2025
Publisher: lgklsv

Effective trust discount applied: −50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Block this update

Static evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@orbit-software/[email protected]"],"fail_on":"high"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@orbit-software/[email protected]"],"fail_on":"high"}'

Publisherlgklsv

Artifact bytes5,060,807

Previous version1.94.0

Published2026-06-01T10:21:32.121Z

SHA-256f5b3c05320deba151c08b4cee1156890ef0bd1ebd64d5c49679da6f2f4b6a0d4

Why flagged

What the scanner saw

1 candidate cluster(s) currently reference this release.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

high

14h agoLast checked

highRisk

31Score

1.94.1Version

Status history (1 event)

new → available2d ago · risk high · score 31 · status changed

Related candidates

Linked campaigns and clusters

Repeated static TTPactive

Js Split Join Obfuscation — array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

22 members · evidence strength 90

Repeated static TTPcandidate

22 members · max score 333

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Js Split Join Obfuscation	package/dist/umd_react/sdk_react.umd.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40
high	Js Split Join Obfuscation	package/dist/esm/sdk.umd.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40
high	Js Split Join Obfuscation	package/dist/umd/sdk.umd.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40
medium	Remote Dependency Spec	package.json	dependencies.@orbit-software/analytics="github:orbit-software/games-launcher#analytics-v0.1.1&path:/packages/analytics"	12

Show all 5 findings (low-signal and informational)

Severity	Kind	Path	Detail	Points
high	Js Split Join Obfuscation	package/dist/umd_react/sdk_react.umd.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40
high	Js Split Join Obfuscation	package/dist/esm/sdk.umd.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40
high	Js Split Join Obfuscation	package/dist/umd/sdk.umd.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40
medium	Remote Dependency Spec	package.json	dependencies.@orbit-software/analytics="github:orbit-software/games-launcher#analytics-v0.1.1&path:/packages/analytics"	12
low	Large Javascript Payload	package/dist/tmp/sdk.umd.js	3615134 bytes	0

Manifest

Package metadata

Scripts16

buildnpm run build:esm && npm run build:umd && npm run build:umd_react && npm run build:confirm && npm run build:assets
build:assetsmkdir -p dist/assets && cp -r src/assets/boxes dist/assets/boxes && cp -r src/assets/buyOptions dist/assets/buyOptions && cp -r src/assets/lottie dist/assets/lottie && cp src/assets/*.webp dist/assets/
build:confirmvite build --config vite.config.confirm.mts
build:esmvite build --config vite.config.esm.mts
build:umdvite build --config vite.config.umd.mts
build:umd_reactvite build --config vite.config.umd.react.mts
devvite dev --config vite.config.esm.mts
dev:confirmvite --config vite.config.confirm.mts
formatbiome format .
format:fixbiome format --write .
generate-typestsx src/i18n/generate-types.ts
lintbiome check .
lint:fixbiome check --write .
testjest
typechecktsc --noEmit
validate-translationstsx src/i18n/generate-types.ts

Dependencies20

@orbit-software/analyticsgithub:orbit-software/games-launcher#analytics-v0.1.1&path:/packages/analytics
@sentry/react^10.18.0
@tanstack/react-query5.90.2
@telegram-apps/telegram-ui^2.1.8
centrifuge^5.4.0
clsx^2.1.1
embla-carousel-autoplay^8.6.0
embla-carousel-react^8.6.0
es-toolkit^1.38.0
framer-motion^12.23.22
i18next^25.5.3
lottie-react^2.4.0
preact^10.25.4
react-confetti^6.1.0
react-device-detect^2.2.3
react-ga4^2.1.0
react-i18next^16.0.0
sonner2.0.7
tailwind-merge3.3.1
zustand^5.0.2