// Code execution / obfuscation

Dynamic eval() execution

패턴: eval-dynamic

Packages calling eval() at runtime — typically with content sourced from an env variable, base64-decoded literal, or HTTP response. Used to hide the actual payload from static review.

3개 패키지에 이 패턴이 매칭됨. 최신순.

• AUTO-PUBLISHED/pypi/12h ago

  pipeline-check@1.1.0

  by Daniel Martin

  CI/CD Security Posture Scanner — scores AWS, Terraform, CloudFormation, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket Pipelines, Jenkins, CircleCI, Google Cloud Build, Buildkite, Drone CI, Tekton, Argo Workflows, Dockerfile, Kubernetes manifests, Helm charts, OCI image manifests, SCM repo posture (GitHub / GitLab / Bitbucket), npm and pypi dependency files against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks

  steals →npm tokenGitHub PATGitLab PATAI API keys

  py-pip-install-runtimereads-github-tokensreads-gitlab-tokens
• AUTO-PUBLISHED/npm/2024-03-29/MAL-2026-4039

  @antv/l7-editor@1.1.13

  by yanxiong

  Geographic data editing tool based on L7

  install-path-npm-publishclipboard-accesseval-dynamicfunction-constructor

  weekly

  76

  /wk

  h-score

  75

  patterns

  4

  size
• AUTO-PUBLISHED/npm/2026-05-11/MAL-2026-4036

  @antv/l7-core@2.25.10

  by lzxue

  → sends tohttps://zhuanlan.zhihu.com/p/67484498

  eval-dynamic

  → 의심 전송지 없음, 원격 실행 형태 없음 — 1 known-vendor host(s).

  weekly

  —

  /wk

  llm verdict

  benign 0.85

  h-score

  75

  patterns