npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

kra-secure

v2.0.3

Published

Advanced JavaScript obfuscation and secure build tool

Readme

kra-secure

Advanced JavaScript obfuscation and secure build tool — CLI + programmatic API

npm version Node.js >= 18 License: MIT

kra-secure bundles your JavaScript with esbuild then applies advanced obfuscation via javascript-obfuscator — renaming, control-flow flattening, string encoding, anti-debugging, and more. It also ships a file-signing system for deployment integrity checks.


Features

  • 3 protection levelslow, medium, high
  • Debug / Production modes — readable bundle with source maps in dev, fully obfuscated in prod
  • Watch mode — auto-rebuild on file changes with debounce and lifecycle hooks
  • Anti-tampering — SHA-256/SHA-512 file signing, CLI verification, optional runtime guard injection
  • Multi-file input — array of entry points with [name] pattern in output path
  • Config filekra-secure.config.js with deep-merge defaults
  • Programmatic APIObfuscator class extending EventEmitter, buildDirectory(), and more

Installation

# Local (recommended)
npm install --save-dev kra-secure

# Global
npm install -g kra-secure

Requirements: Node.js ≥ 18


Quick Start

# Generate a default config file
npx kra-secure init

# Build (production, obfuscated)
npx kra-secure build

# Build in debug mode (readable + source maps)
npx kra-secure build --mode debug

# Watch mode
npx kra-secure watch

CLI Reference

kra-secure <command> [options]

Commands:
  build              Bundle and obfuscate the project
  watch              Watch for changes and rebuild automatically
  sign  <file>       Sign a built file (creates <file>.sig)
  verify <file>      Verify a signed file against its .sig
  init               Generate a default kra-secure.config.js
  version            Print the version

Options:
  -i, --input  <file>    Entry file          (default: src/main.js)
  -o, --output <file>    Output file         (default: dist/app.secure.js)
  -m, --mode   <mode>    production | debug  (default: production)
  -l, --level  <level>   low | medium | high (default: low)
  -c, --config <file>    Path to config file
  -a, --algorithm <algo> sha256 | sha512     (default: sha256)

Examples

# High-protection production build
kra-secure build --level high

# Custom paths
kra-secure build --input src/app.js --output public/app.min.js

# Sign a dist file for deployment verification
kra-secure sign dist/app.secure.js
kra-secure verify dist/app.secure.js

# Watch with a specific level
kra-secure watch --level medium

Configuration File

Run kra-secure init to generate kra-secure.config.js, or create it manually:

// kra-secure.config.js
module.exports = {
  input: "src/main.js",
  output: "dist/app.secure.js",
  mode: "production", // "production" | "debug"

  options: {
    level: "medium",              // "low" | "medium" | "high"
    compact: true,
    controlFlowFlattening: true,
    deadCodeInjection: false,
    debugProtection: false,
    stringArray: true,
    selfDefending: false
  },

  watch: {
    patterns: ["src/**/*.js"],
    ignore: ["node_modules/**", "dist/**"],
    debounce: 300,
    initialBuild: true,
    continueOnError: true,
    // Lifecycle hooks
    onStart:        (config) => {},
    onFileChange:   (filePath, event) => {},
    onBeforeBuild:  () => {},
    onAfterBuild:   (result) => {},
    onError:        (err) => {},
    onStop:         () => {}
  },

  antiTampering: {
    enabled: false,
    signature: false,           // embed runtime hash guard in output
    algorithm: "sha256",
    onTamperDetected: "block",  // "block" | "callback" | "redirect"
    callback: "window.__onTamperDetected",
    redirectUrl: "/security-error",
    checkInterval: 5000         // ms, 0 = disabled
  }
};

Protection Levels

| Feature | low | medium | high | |---|:---:|:---:|:---:| | Hex identifier renaming | ✓ | ✓ | ✓ | | Compact output | ✓ | ✓ | ✓ | | Control-flow flattening | — | 50% | 100% | | String array + encoding | — | base64 | RC4 | | Dead code injection | — | — | ✓ | | Anti-debugging | — | — | ✓ | | Console output disabled | — | — | ✓ | | Self-defending | — | — | ✓ | | Object keys transform | — | — | ✓ |


Programmatic API

const kraSecure = require("kra-secure");

// Simple build
const result = await kraSecure.build({
  input: "src/main.js",
  output: "dist/app.secure.js",
  options: { level: "high" }
});
console.log(result.output, result.size);

// Obfuscator class with events
const { Obfuscator } = require("kra-secure");

const obs = new Obfuscator({
  input: "src/main.js",
  output: "dist/app.secure.js",
  options: { level: "medium" }
});

obs.on("start",  (cfg)    => console.log("Starting..."));
obs.on("build",  (result) => console.log("Done →", result.output));
obs.on("error",  (err)    => console.error(err.message));

await obs.build();

// Watch mode
const handle = await obs.watch();
// handle.stop() to stop watching

// Build all .js files in a directory
const results = await obs.buildDirectory("src", "dist");

// Anti-tampering: sign & verify
await kraSecure.sign("dist/app.secure.js");                // creates .sig file
const check = kraSecure.verify("dist/app.secure.js");      // { valid, hash, signedAt }

Build Result Object

{
  output:     "dist/app.secure.js", // absolute path
  mode:       "production",
  obfuscated: true,
  size:       12345,               // bytes
  signature:  {                    // null when antiTampering is off
    hash:      "a3f...",
    sigPath:   "dist/app.secure.js.sig",
    algorithm: "sha256",
    timestamp: "2026-01-01T00:00:00.000Z"
  }
}

Anti-Tampering

kra-secure supports two complementary integrity mechanisms:

1. File signing (CLI / CI-CD)

# After building, sign the output
kra-secure sign dist/app.secure.js
# → creates dist/app.secure.js.sig (JSON with SHA-256 hash + timestamp)

# Before deploying or in CI, verify nothing changed
kra-secure verify dist/app.secure.js
# ✔  Integrity check passed   OR   ✖  FAILED (with expected vs actual hash)

2. Runtime guard (browser)

Enable in kra-secure.config.js:

antiTampering: {
  enabled: true,
  signature: true,            // injects a guard IIFE at the top of the output
  onTamperDetected: "block"   // throw Error on mismatch
}

The injected guard exposes window.__kraSecure.verify(hash) — call it from your server-side script-src check or a fetch-based SRI verification.


Project Structure

your-project/
├── src/
│   └── main.js          ← your source code
├── dist/
│   └── app.secure.js    ← obfuscated output (deploy this only)
└── kra-secure.config.js ← optional configuration

Security note: Only ever deploy the dist/ folder. Never ship src/ to production.


Multi-file build

module.exports = {
  input: ["src/main.js", "src/worker.js"],
  output: "dist/[name].secure.js",   // [name] = basename without extension
  options: { level: "medium" }
};

npm scripts integration

{
  "scripts": {
    "build":   "kra-secure build",
    "build:debug": "kra-secure build --mode debug",
    "watch":   "kra-secure watch",
    "sign":    "kra-secure sign dist/app.secure.js",
    "verify":  "kra-secure verify dist/app.secure.js"
  }
}

License

MIT — © 2026 KraAxiom