Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Obfuscation Density: high encoded/escaped-token density
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 173 · status changed
Related candidates
Linked campaigns and clusters
huucuongyd
2 members · evidence strength 64Evidence
Static findings
24 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/maplibre-gl-csp-worker.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/maplibre-gl-csp.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/maplibre-gl.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/ndamap-gl-csp-worker.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/ndamap-gl-csp.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/ndamap-gl.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/build/generate-docs.ts | matched "raw.githubusercontent.com" | 12 |
| medium | Obfuscation Density | package/src/util/unicode_properties.g.ts | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/maplibre-gl-csp-dev.js | 2848146 bytes | 10 |
| medium | Large Javascript Payload | package/dist/maplibre-gl-dev.js | 2992887 bytes | 10 |
| medium | Large Javascript Payload | package/dist/ndamap-gl-csp-dev.js | 2847867 bytes | 10 |
| medium | Large Javascript Payload | package/dist/ndamap-gl-dev.js | 2992588 bytes | 10 |
Show all 24 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Obfuscation Density | package/dist/maplibre-gl-csp-worker.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/maplibre-gl-csp.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/maplibre-gl.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/ndamap-gl-csp-worker.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/ndamap-gl-csp.js | high encoded/escaped-token density | 12 |
| medium | Obfuscation Density | package/dist/ndamap-gl.js | high encoded/escaped-token density | 12 |
| medium | Remote Payload | package/build/generate-docs.ts | matched "raw.githubusercontent.com" | 12 |
| medium | Obfuscation Density | package/src/util/unicode_properties.g.ts | high encoded/escaped-token density | 12 |
| medium | Large Javascript Payload | package/dist/maplibre-gl-csp-dev.js | 2848146 bytes | 10 |
| medium | Large Javascript Payload | package/dist/maplibre-gl-dev.js | 2992887 bytes | 10 |
| medium | Large Javascript Payload | package/dist/ndamap-gl-csp-dev.js | 2847867 bytes | 10 |
| medium | Large Javascript Payload | package/dist/ndamap-gl-dev.js | 2992588 bytes | 10 |
| low | Install-time lifecycle script | package.json | prepare="npm run codegen" | 4 |
| low | Obfuscation | package/dist/maplibre-gl-csp-worker.js | matched "\\u02EA" | 3 |
| low | Obfuscation | package/dist/maplibre-gl-csp.js | matched "\\u02EA" | 3 |
| low | Obfuscation | package/dist/maplibre-gl.js | matched "\\u02EA" | 3 |
| low | Obfuscation | package/dist/ndamap-gl-csp-worker.js | matched "\\u02EA" | 3 |
| low | Obfuscation | package/dist/ndamap-gl-csp.js | matched "\\u02EA" | 3 |
| low | Obfuscation | package/dist/ndamap-gl.js | matched "\\u02EA" | 3 |
| low | Obfuscation | package/src/util/resolve_tokens.test.ts | matched "\\ufff0" | 3 |
| low | Obfuscation | package/src/symbol/tagged_string.test.ts | matched "\\u200b" | 3 |
| low | Obfuscation | package/src/symbol/tagged_string.ts | matched "\\u200b" | 3 |
| low | Obfuscation | package/src/util/unicode_properties.g.ts | matched "\\u02EA" | 3 |
| low | Obfuscation | package/src/util/util.ts | matched "\\x00" | 3 |
Manifest
Package metadata
Scripts42
benchmarknode --no-warnings --loader ts-node/esm test/bench/run-benchmarks.tsbuild-benchmarksnpm run build-dev && rollup --configPlugin @rollup/plugin-typescript -c test/bench/rollup_config_benchmarks.tsbuild-csprollup --configPlugin @rollup/plugin-typescript -c rollup.config.csp.ts --environment BUILD:productionbuild-csp-devrollup --configPlugin @rollup/plugin-typescript -c rollup.config.csp.ts --environment BUILD:devbuild-csspostcss -o dist/ndamap-gl.css src/css/maplibre-gl.cssbuild-devrollup --configPlugin @rollup/plugin-typescript -c --environment BUILD:devbuild-distnpm run build-css && npm run generate-unicode-data && npm run generate-typings && npm run generate-shaders && npm run build-dev && npm run build-csp-dev && npm run build-prod && npm run build-cspbuild-prodrollup --configPlugin @rollup/plugin-typescript -c --environment BUILD:productionbundle-statsrollup --configPlugin @rollup/plugin-typescript -c --environment BUILD:production,BUNDLE:statscodegenrun-p --print-label generate-dist-package generate-style-code generate-unicode-data generate-struct-arrays generate-shaders && npm run generate-typingsdocsnpm run generate-docs && docker run --rm -v ${PWD}:/docs squidfunk/mkdocs-material buildgenerate-dist-packagenode --no-warnings --loader ts-node/esm build/generate-dist-package.jsgenerate-docstypedoc && node --no-warnings --loader ts-node/esm build/generate-docs.tsgenerate-imagesnode --no-warnings --loader ts-node/esm build/generate-doc-images.tsgenerate-shadersnode --no-warnings --loader ts-node/esm build/generate-shaders.tsgenerate-struct-arraysnode --no-warnings --loader ts-node/esm build/generate-struct-arrays.tsgenerate-style-codenode --no-warnings --loader ts-node/esm build/generate-style-code.tsgenerate-typingsdts-bundle-generator --export-referenced-types=false --umd-module-name=ndamapgl -o ./dist/ndamap-gl.d.ts ./src/index.tsgenerate-unicode-datanode --no-warnings --loader ts-node/esm build/generate-unicode-data.tsgl-statsnode --no-warnings --loader ts-node/esm test/bench/gl-stats.tslinteslintlint-cssstylelint **/*.css --fix -f verbosepreparenpm run codegenspellcheckcspellstartrun-p watch-css watch-dev start-serverstart-benchrun-p watch-css watch-benchmarks start-serverstart-docsdocker run --rm -it -p 8000:8000 -v ${PWD}:/docs squidfunk/mkdocs-materialstart-serverst --no-cache -H localhost --port 9966 .testrun-p lint lint-css test-render test-unit test-integration test-buildtest-buildvitest run --config vitest.config.build.ts- …and 12 more.
Dependencies22
@mapbox/geojson-rewind^0.5.2@mapbox/jsonlint-lines-primitives^2.0.2@mapbox/point-geometry^1.1.0@mapbox/tiny-sdf^2.0.7@mapbox/unitbezier^0.0.1@mapbox/vector-tile^2.0.4@mapbox/whoots-js^3.1.0@maplibre/geojson-vt^5.0.4@maplibre/maplibre-gl-style-spec^24.4.1@maplibre/mlt^1.1.2@maplibre/vt-pbf^4.2.1@types/geojson^7946.0.16@types/supercluster^7.1.3earcut^3.0.2gl-matrix^3.4.4kdbush^4.0.2murmurhash-js^1.0.0pbf^4.0.1potpack^2.1.0quickselect^3.0.0supercluster^8.0.1tinyqueue^3.0.0