Package evidence
[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Versions published
- 1
- First published
- Jun 2026
- Publisher
- seapp88
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 40 · status changed
Evidence
Static findings
1 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/dist-Bn08KzZC.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
Manifest
Package metadata
Scripts19
build-onlyvite buildbuild:libvite build --config vite.lib.config.tsbuild:storybookstorybook builddevtoolscross-env PORT=5556 vue-devtoolsdocker:test:screenshotdocker compose -f docker-compose.playwright.yml build --no-cache && docker compose -f docker-compose.playwright.yml up --exit-code-from playwright-testsdocker:test:update-screenshotsdocker compose -f docker-compose.playwright.yml build --no-cache playwright-tests && docker compose -f docker-compose.playwright.yml run --rm playwright-tests pnpm test:update-screenshotsformat:checkprettier . --checkformat:fixprettier . --writelint:checkeslint . --cachelint:fixeslint . --fixprepareis-ci || huskyreleasesemantic-releasestorybookstorybook dev -p 6006test:screenshotplaywright test -c playwright-ct.config.tstest:unitvitest run --coveragetest:update-screenshotsplaywright test -c playwright-ct.config.ts --update-snapshotsts:buildvue-tsc --build --forcets:checkvue-tsc --buildvalidate-branch-namechmod 755 ./.husky/branch-name-validation && sh ./.husky/branch-name-validation
Dependencies17
@tailwindcss/vite4.2.2@testing-library/vue8.1.0@vee-validate/i18n4.15.1@vee-validate/rules4.15.1@vue/test-utils2.4.6@vueuse/core14.2.1cleave-zen0.0.17dayjs1.11.20is-ci4.1.0naive-ui2.44.1pinia3.0.4radashi12.7.2treemate0.3.11vee-validate4.15.1vue3.5.31vue-router5.0.4vueuc0.4.65