PkgRadar

Package evidence

@sergienko4/[email protected]

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
681
Versions published
40
First published
Feb 2026
Publisher
GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: 70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@sergienko4/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@sergienko4/[email protected]"],"fail_on":"review"}'
PublisherGitHub Actions
Artifact bytes1,633,947
Previous version8.3.1
Published2026-05-21T17:58:35.448Z
SHA-256deedd5954cf69b0b883f3bcbc1c73735ec883544959a6c960eaa760d5744b7da

Why flagged

What the scanner saw

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
15Score
8.3.2Version
Status history (1 event)
  1. newavailable · risk review · score 15 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Decode Then Execpackage/lib/index.cjsbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.45
highJs Decode Then Execpackage/lib/index.mjsbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.45

Manifest

Package metadata

Scripts35
  • buildnpm run lint && tsup
  • capture:invalid-loginnpx tsx src/Tests/E2eReal/tools/CaptureInvalidLogin.ts
  • check-exportspublint
  • cleanrimraf lib
  • devnpm run type-check -- --watch
  • docstypedoc
  • formatprettier --write "src/**/*.{ts,tsx,js,jsx,json,md}"
  • format:checkprettier --check "src/**/*.{ts,tsx,js,jsx,json,md}"
  • linteslint src --max-warnings 0 && npm run lint:architecture src/Scrapers/Pipeline && bash src/Scrapers/Pipeline/EslintCanaries/verify.sh && npm run format:check
  • lint:architecturenpx tsx src/Tests/Tools/lint-and-validate.ts
  • lint:biomebiome lint src --max-diagnostics=50
  • lint:canariesbash src/Scrapers/Pipeline/EslintCanaries/verify.sh
  • lint:fixeslint src --ignore-pattern '**/*.cjs' && npm run format
  • lint:phases:stricteslint src/Tests/Unit/Pipeline/CrossValidation/Phases --max-warnings 0
  • log:viewnpx tsx scripts/log-view.ts
  • postbuildrimraf lib/Common lib/Scrapers lib/Tests
  • preparetsup && rimraf lib/Common lib/Scrapers lib/Tests
  • prepare:defaultgit reset --hard && npm ci && npm run build
  • resetgit reset --hard && npm ci
  • testnode --experimental-vm-modules node_modules/jest/bin/jest.js
  • test:cincp src/Tests/.tests-config.tpl.cjs src/Tests/.tests-config.cjs && node --experimental-vm-modules node_modules/jest/bin/jest.js --ci --coverage
  • test:e2e-factory-testsnode --experimental-vm-modules node_modules/jest/bin/jest.js --ci --testPathPatterns='Tests/E2e\.test' --verbose --forceExit --maxWorkers=8
  • test:e2e:fullnode --experimental-vm-modules node_modules/jest/bin/jest.js --testPathIgnorePatterns=/node_modules/ --testPathPatterns=E2eFull --forceExit
  • test:e2e:mocknode --experimental-vm-modules node_modules/jest/bin/jest.js --testPathIgnorePatterns=/node_modules/ --testPathIgnorePatterns=E2eReal --testPathPatterns=E2eMocked --maxWorkers=8
  • test:e2e:realnpx tsx scripts/run-real-suite.ts
  • test:e2e:real:singlenode --experimental-vm-modules node_modules/jest/bin/jest.js --runInBand --testPathIgnorePatterns=/node_modules/ --testPathIgnorePatterns=E2eMocked --testPathPatterns=E2eReal
  • test:e2e:smokenode --experimental-vm-modules node_modules/jest/bin/jest.js --testPathIgnorePatterns=/node_modules/ --testPathPatterns=E2eSmoke --forceExit
  • test:fullnpm run test:mock && npm run test:unit
  • test:gatenpm run test:mock && npm run test:unit
  • test:mockcross-env MOCK_MODE=1 npx tsx scripts/run-mock-suite.ts
  • …and 5 more.
Dependencies7
  • @hieutran094/camoufox-js^0.6.8
  • lodash^4.17.23
  • moment^2.30.1
  • moment-timezone^0.6.0
  • pino^10.3.1
  • playwright-core~1.59.1
  • utility-types^3.11.0