Package evidence

[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Versions published: 1
First published: Jun 2026
Publisher: joelwongquizlet

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'

Publisherjoelwongquizlet

Artifact bytes785,541

Previous versionnone

Published2026-06-01T19:54:47.659Z

SHA-256ae38f124c62ca926303ca761d8d63d91d6a9a58fa5fbbf7cf74d54798bcb8ab7

Why flagged

What the scanner saw

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

15d agoLast checked

reviewRisk

50Score

1.0.0Version

Status history (1 event)

new → available15d ago · risk review · score 50 · status changed

Evidence

Static findings

2 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
high	Js Split Join Obfuscation	package/dist/lottie-DGMXt9Va.js	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40
high	Js Split Join Obfuscation	package/dist/lottie-Biz-xKC6.mjs	Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.	40

Manifest

Package metadata

Scripts2

buildvite build
devvite build --watch

Dependencies43

@linaria/core^6.3.0
@linaria/react^6.3.0
@react-aria/button^3.9.3
@react-aria/dialog^3.6.1
@react-aria/focus^3.16.2
@react-aria/i18n^3.13.1
@react-aria/interactions^3.21.1
@react-aria/menu^3.13.1
@react-aria/overlays^3.21.1
@react-aria/progress^3.5.1
@react-aria/ssr^3.9.2
@react-aria/switch^3.7.3
@react-aria/tabs^3.8.5
@react-aria/tooltip^3.7.2
@react-aria/utils^3.23.2
@react-aria/visually-hidden^3.9.1
@react-stately/collections^3.10.5
@react-stately/menu^3.6.1
@react-stately/overlays^3.6.5
@react-stately/tabs^3.6.4
@react-stately/toggle^3.8.4
@react-stately/tooltip^3.4.7
@react-stately/tree^3.10.1
@react-types/button^3.9.2
@react-types/menu^3.9.7
@react-types/overlays^3.8.5
@react-types/shared^3.23.0
@react-types/switch^3.6.0
@react-types/tooltip^3.4.9
@types/react-modal^3.16.3
…and 13 more.