PkgRadar

Package evidence

[email protected]

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published
31
First published
Mar 2026
Publisher
shaun0927

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publishershaun0927
Artifact bytes2,047,619
Previous version0.6.2
Published2026-05-29T04:24:16.720Z
SHA-2566ff01b3078c59c62d89b90020592162734404d260efb94a1f5726952ee5318a9

Why flagged

What the scanner saw

Js Decode Then Exec: base64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
60Score
0.6.3Version
Status history (1 event)
  1. newavailable · risk review · score 60 · status changed

Evidence

Static findings

4 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Decode Then Execpackage/dist/cli/928.index.jsbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.45
highJs Decode Then Execpackage/dist/index.jsbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.45
Show all 4 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Decode Then Execpackage/dist/cli/928.index.jsbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.45
highJs Decode Then Execpackage/dist/index.jsbase64 / atob / fromCharCode decode paired with eval / new Function in the same file — canonical obfuscated-loader pattern.45
lowCredential file accesspackage/dist/cli/928.index.jsmatched "aws_access_key"5
lowCredential file accesspackage/dist/index.jsmatched "aws_access_key"5

Manifest

Package metadata

Scripts30
  • audit:allnpm audit
  • audit:all:jsonnpm audit --json
  • audit:prodnpm audit --omit=dev
  • audit:prod:jsonnpm audit --omit=dev --json
  • buildnpm run clean && npm run build:src && npm run build:cli && npm run build:ax-bridge-native && npm run build:ax-bridge-cli && npm run build:sim-hid-bridge-native && npm run build:sim-hid-bridge-cli && npm run build:cursor-monitor
  • build:ax-bridge-cliwebpack --config webpack.config.js --config-name ax-bridge-cli && chmod +x dist/ax-bridge
  • build:ax-bridge-nativeswiftc -O src/native/ax-bridge.swift -o dist/ax-bridge-native && (codesign --sign - dist/ax-bridge-native || echo 'ax-bridge-native: ad-hoc codesign failed, keeping unsigned binary (still runnable for AX queries against booted simulators)') || echo 'ax-bridge-native: swiftc compilation failed, falling back to swift interpreter at runtime'
  • build:cliwebpack --config webpack.config.js --config-name cli && chmod +x dist/cli/index.js
  • build:cursor-monitorswiftc -O src/native/cursor-monitor.swift -o dist/cursor-monitor && (codesign --sign - dist/cursor-monitor || echo 'cursor-monitor: ad-hoc codesign failed, keeping unsigned binary') || echo 'cursor-monitor: swiftc compilation failed, falling back to swift interpreter at runtime'
  • build:sim-hid-bridge-cliwebpack --config webpack.config.js --config-name sim-hid-bridge-cli && chmod +x dist/sim-hid-bridge
  • build:sim-hid-bridge-nativeswiftc -O src/native/sim-hid-bridge.swift -o dist/sim-hid-bridge-native && (codesign --sign - dist/sim-hid-bridge-native || echo 'sim-hid-bridge-native: ad-hoc codesign failed, keeping unsigned binary (still runnable for HID dispatch)') || echo 'sim-hid-bridge-native: swiftc compilation failed, falling back to swift interpreter at runtime'
  • build:srcwebpack --config webpack.config.js --config-name server
  • check:error-envelopests-node --transpile-only --skip-project -O '{"module":"commonjs","moduleResolution":"node","target":"ES2022","esModuleInterop":true,"strict":true}' scripts/dev/check-error-envelopes.ts
  • cleanrimraf dist
  • devts-node --esm src/index.ts
  • linteslint 'src/**/*.ts' 'cli/**/*.ts' 'tests/**/*.ts'
  • lint:fixeslint --fix 'src/**/*.ts' 'cli/**/*.ts' 'tests/**/*.ts'
  • postbuildcp src/native/ax-bridge.swift dist/ 2>/dev/null || true; cp src/native/sim-hid-bridge.swift dist/ 2>/dev/null || true; cp src/native/cursor-monitor.swift dist/ 2>/dev/null || true
  • preparenpm run build
  • prepublishOnlynpm run audit:prod && npm run build && npm test
  • startnode dist/index.js
  • testjest --config jest.config.js
  • test:cijest --config jest.ci.config.js
  • test:coveragejest --coverage
  • test:integrationjest --preset ts-jest --testEnvironment node --roots tests/integration --testPathIgnorePatterns '/node_modules/' --testPathIgnorePatterns 'webkit-connection' --testTimeout=120000 --runInBand --reporters=default --reporters=<rootDir>/tests/integration/screenshot-failure-reporter.cjs
  • test:integration:monitorednode scripts/run-with-cursor-monitor.js -- npm run test:integration
  • test:liveOSF_LIVE=1 node scripts/run-with-cursor-monitor.js -- npm run test:integration
  • test:sentineljest --config jest.sentinel.config.js
  • test:unitjest --config jest.config.js
  • verify:issue-10-healthyts-node --transpile-only --skip-project -O '{"module":"commonjs","moduleResolution":"node","target":"ES2022","esModuleInterop":true,"strict":true}' scripts/verify-issue-10-healthy.ts
Dependencies4
  • commander^12.0.0
  • pixelmatch^7.1.0
  • pngjs^6.0.0
  • ws^8.21.0