PkgRadar

Package evidence

[email protected]

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
4,164Niche · −30% score
Versions published
78Mature · −50% score
First published
Jan 2021
Publisher
rebill-bindings

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["[email protected]"],"fail_on":"review"}'
Publisherrebill-bindings
Artifact bytes13,889,797
Previous version1.17.23-beta.1
Published2026-06-03T16:12:10.319Z
SHA-2564066289ebbe29eb2bfb58b64d9645a654a6d0bcd4f6a1dfbf114402714873c3b

Why flagged

What the scanner saw

Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
25Score
1.17.23Version
Status history (1 event)
  1. newavailable · risk review · score 25 · status changed

Evidence

Static findings

5 static · 0 from release diff · showing high-signal first.

SeverityKindPathDetailPoints
highJs Split Join Obfuscationpackage/dist/esm/lottie-E0pOygkZ.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/dist/cjs/lottie-NxKK9TIf.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/dist/components/p-GK75wIKe.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/dist/rebill/p-GK75wIKe.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
Show all 5 findings (low-signal and informational)
SeverityKindPathDetailPoints
highJs Split Join Obfuscationpackage/dist/esm/lottie-E0pOygkZ.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/dist/cjs/lottie-NxKK9TIf.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/dist/components/p-GK75wIKe.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
highJs Split Join Obfuscationpackage/dist/rebill/p-GK75wIKe.jsArray-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.40
lowObfuscation Densitypackage/dist/rebill/p-MMCcKmy_.jshigh encoded/escaped-token density0

Manifest

Package metadata

Scripts52
  • buildecho '🚀 Building Rebill SDK (environment-agnostic)...' && stencil build && node scripts/copy-assets.js
  • build:devecho '🚀 Building for development...' && REBILL_ENV=development stencil build && node scripts/copy-assets.js
  • env:infonode scripts/env-info.js
  • formatprettier --write "src/**/*.{ts,tsx,js,jsx,json,css,scss,md}"
  • format:checkprettier --check "src/**/*.{ts,tsx,js,jsx,json,css,scss,md}"
  • generatestencil generate
  • lintnpm run format:check
  • preparehusky install
  • serve:e2enode scripts/serve-e2e.js
  • startnode scripts/default-start.js && stencil build --dev --watch --serve
  • start:developmentREBILL_ENV=development node scripts/start-banner.js && REBILL_ENV=development stencil build --dev --watch --serve
  • start:localREBILL_ENV=local node scripts/start-banner.js && REBILL_ENV=local stencil build --dev --watch --serve
  • start:productionREBILL_ENV=production node scripts/start-banner.js && REBILL_ENV=production stencil build --dev --watch --serve
  • start:stagingREBILL_ENV=staging node scripts/start-banner.js && REBILL_ENV=staging stencil build --dev --watch --serve
  • teststencil test --spec --passWithNoTests
  • test.watchstencil test --spec --e2e --watchAll
  • test:e2eplaywright test --headed
  • test:e2e:allnode scripts/run-e2e-all.js --headed
  • test:e2e:argentinaE2E_SCENARIO=argentina_card playwright test --headed
  • test:e2e:chileE2E_SCENARIO=chile_apm playwright test --headed
  • test:e2e:chile:apmE2E_SCENARIO=chile_apm playwright test e2e/tests/checkout/payment-apm.spec.ts --headed
  • test:e2e:chile:cardE2E_SCENARIO=chile_card playwright test --headed
  • test:e2e:ciplaywright test
  • test:e2e:ci:allnode scripts/run-e2e-all.js
  • test:e2e:ci:argentinaE2E_SCENARIO=argentina_card playwright test
  • test:e2e:ci:chileE2E_SCENARIO=chile_apm playwright test e2e/tests/checkout/payment-apm.spec.ts
  • test:e2e:ci:chile:apmE2E_SCENARIO=chile_apm playwright test e2e/tests/checkout/payment-apm.spec.ts
  • test:e2e:ci:chile:cardE2E_SCENARIO=chile_card playwright test
  • test:e2e:ci:colombiaE2E_SCENARIO=colombia_apm playwright test e2e/tests/checkout/payment-apm.spec.ts
  • test:e2e:ci:colombia:apmE2E_SCENARIO=colombia_apm playwright test e2e/tests/checkout/payment-apm.spec.ts
  • …and 22 more.
Dependencies17
  • @stencil/store^2.1.3
  • @stripe/stripe-js8.11.0
  • @types/qrcode^1.5.5
  • axios^1.9.0
  • dotenv^17.2.1
  • html2canvas^1.4.1
  • i18next^25.2.1
  • i18next-browser-languagedetector^8.1.0
  • intl-tel-input^25.3.1
  • jsbarcode3.12.1
  • jspdf^4.2.0
  • libphonenumber-js^1.12.9
  • lodash^4.17.21
  • lottie-web^5.13.0
  • number-flow^0.5.8
  • qrcode^1.5.4
  • yup^1.6.1