Threat Detection

Code Obfuscation Detection

Malicious packages hide their payloads using base64 encoding, hex strings, eval() chains, and chr() concatenation. Hextrap scans every source file to find code that's deliberately hidden.

Get Protected Read the Docs

Why Attackers Obfuscate Code

Obfuscation serves one purpose in malicious packages: evade detection. Legitimate packages have no reason to base64-encode their functionality or build strings character by character. When a package's source code contains these patterns, it's either malware hiding a payload or a misguided attempt at "protecting" code — both are red flags in open-source dependencies.

Common malicious payloads include credential stealers (reading ~/.ssh, ~/.aws, ~/.npmrc), reverse shells, cryptocurrency miners, and data exfiltration scripts that send environment variables to attacker-controlled servers.

Obfuscation Patterns Hextrap Detects

The Phase 2 content analyzer downloads each package artifact and scans all source files for known obfuscation techniques:

Base64 Payloads

Strings longer than 100 characters that match base64 encoding patterns, especially when passed to base64.b64decode() or Buffer.from(). Legitimate packages rarely contain long base64 strings — when they do, they're typically embedded assets (images, fonts) rather than executable code.

exec(base64.b64decode("aW1wb3J0IG9zCm9zLnN5c3RlbSgnY3VybCBod..."))

Eval with Decode Chains

Combinations of eval(), exec(), or Function() with encoding/decoding functions. This pattern is the hallmark of "dropper" malware that decodes and executes a payload at runtime.

eval(Buffer.from("Y29uc3QgaHR0cCA9...", "base64").toString())

Hex-Encoded Strings

Long hexadecimal strings (\x68\x74\x74\x70) used to hide URLs, shell commands, or file paths from casual code review and simple string-matching scanners.

Character Concatenation

Building strings using chr() or String.fromCharCode() to avoid having readable strings in the source code. A function call like chr(104)+chr(116)+chr(116)+chr(112) spells "http" — but no scanner looking for "http" as a literal string would find it.

CRITICAL Severity

Signal Type: OBFUSCATION
Detection Phase: Phase 2 (Content Analysis)
Registries: PyPI, npm, Go
Method: Source file pattern matching
Scans: .py, .js, .go, setup.py, package.json

Real-World Example

$ pip install colorama-utils

ERROR: Package blocked by Hextrap
Reason: Obfuscated code detected
  File: setup.py
  Pattern: exec(base64.b64decode(...))
  Signal: OBFUSCATION (CRITICAL)

Block Obfuscated Malware Automatically

Content analysis catches payloads that name-based checks miss

Get Started See All Threat Signals