Package evidence
[email protected]
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Trust signals
Why this verdict
PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.
- Weekly downloads
- 13
- Versions published
- 18
- First published
- Feb 2026
- Publisher
- persian402
Recommended action
Review before promotingMixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["[email protected]"],"fail_on":"review"}'Why flagged
What the scanner saw
Js Split Join Obfuscation: Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis.
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk review · score 40 · status changed
Evidence
Static findings
3 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/js/TalkLoading-zbvUxdbG.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
Show all 3 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| high | Js Split Join Obfuscation | package/dist/js/TalkLoading-zbvUxdbG.js | Array-of-single-tokens joined to form a string — used to obscure module names like require(["n","o","de",":","cr","yp","to"].join("")), defeating static require() analysis. | 40 |
| low | Large Javascript Payload | package/dist/index.umd.js | 4567255 bytes | 0 |
| low | Large Javascript Payload | package/dist/js/main-CIumYetG.js | 2848567 bytes | 0 |
Manifest
Package metadata
Scripts11
buildtsc -b && vite build --mode libbuild:appvite build --mode appbuild:libvite build --mode libdevvite --port 8081 --mode development --hosteslinteslint --fixlinteslint .prdvite build --mode app && vite previewprettiernpx prettier --write .previewvite previewreleasenpm version patch --no-git-tag-version && npm publish --access publicsnapshotnpm config set tag-version-prefix '' && npm version prerelease --preid=snapshot --no-git-tag-version || true && npm publish --tag snapshot --access public
Dependencies58
@dnd-kit/core^6.3.1@dnd-kit/modifiers^9.0.0@emotion/is-prop-valid^1.4.0@radix-ui/react-context-menu^2.2.16@radix-ui/react-dialog^1.1.15@radix-ui/react-dropdown-menu^2.1.16@radix-ui/react-label^2.1.7@radix-ui/react-portal^1.1.10@radix-ui/react-radio-group^1.3.8@radix-ui/react-select^2.2.6@radix-ui/react-tabs^1.1.13@radix-ui/react-tooltip^1.2.8@reduxjs/toolkit^2.8.2@types/dompurify^3.0.5@types/prismjs^1.26.5@types/react-outside-click-handler^1.3.4@types/wavesurfer.js^6.0.12axios^1.12.2copy-to-clipboard^3.3.3dompurify^3.3.1events^3.3.0fastq^1.19.1framer-motion^12.23.24immer^10.1.1js-cookie^3.0.5leaflet^1.9.4lottie-colorify^0.8.0lucide-react^0.514.0moment^2.30.1moment-jalaali^0.10.4- …and 28 more.