Package evidence
@oscharko-dev/[email protected]
Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 786
- Versions published
- 7
- First published
- May 2026
- Publisher
- oscharko-dev
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@oscharko-dev/[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@oscharko-dev/[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 65 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Decode Then Exec | package/dist/workbench/.next/build/chunks/node_modules__pnpm_11dow_.._.js | base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern. | 45 |
| medium | Large Javascript Payload | package/dist/cli.cjs | 2615662 bytes | 10 |
| medium | Large Javascript Payload | package/dist/cli.js | 2608384 bytes | 10 |
Manifest
Package metadata
Scripts49
buildpnpm run workspaces:build && pnpm run build:workbench && pnpm run build:packagebuild:packagetsup && node scripts/prepare-workbench-package.mjsbuild:workbenchpnpm --dir apps/workbench buildcheck:attwattw --packcheck:depcruisedepcruise --config .dependency-cruiser.cjs packages srccheck:installable-packagenode scripts/check-installable-package.mjscheck:license-policynode scripts/check-license-policy.mjscheck:lockfile-hostsnode scripts/check-lockfile-hosts.mjscheck:no-telemetrynode scripts/check-no-telemetry.mjscheck:npm-sbom-smokenode scripts/npm-sbom-smoke.mjscheck:package-shapenode scripts/check-package-shape.mjscheck:paritynode --import tsx scripts/check-parity.mjscheck:publintpublintcheck:reproducible-buildnode scripts/verify-reproducible-build.mjscheck:sandbox-paritynode --import tsx scripts/check-sandbox-parity.mjscheck:sbom-paritynode scripts/check-sbom-parity.mjscheck:scorecard-thresholdnode scripts/check-scorecard-threshold.mjscheck:supply-chain-iocsnode scripts/check-supply-chain-iocs.mjsclitsx packages/cli/src/cli.tsdocstypedocdocs:apitypedocformatprettier --write .format:checkprettier --check .linteslint srclocal:startnode scripts/start-local.mjslocal:start:mocknode scripts/start-local.mjs --mocklocal:start:prodnode scripts/start-local.mjs --mode=prodlocal:stopnode scripts/stop-local.mjsparity:extractnode --import tsx scripts/extract-parity-fixtures.mjspreparegit config core.hooksPath .githooks- …and 19 more.
Dependencies6
@opentelemetry/api^1.9.1lucide-react^1.16.0next^16.2.6react^19.2.6react-dom^19.2.6zod^4.4.3