Packages calling eval() at runtime — typically with content sourced from an env variable, base64-decoded literal, or HTTP response. Used to hide the actual payload from static review.
34 packages flagged with this pattern (75 total publish events, collapsed by publisher+name). Newest first.
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
weekly
—
/wk
llm verdict
malicious 0.96
h-score
52
patterns
34
size
35.0 MB
versions
292
AUTO-PUBLISHED/npm/
@jacob-ebey/almostnode@0.4.0
by jacob-ebey
Node.js in your browser. Just like that.
steals →AI API keysChromium logins→ sends tohttps://github.com/macaly/almostnode.git