npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

simple-javascript-obf

v0.1.1

Published

Modular JavaScript obfuscator with optional VM and CFF

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

nenggemvnenggemv

Keywords

javascriptobfuscatorvmcontrol-flow-flattening

Readme

js-obf

A modular JavaScript obfuscation CLI with control-flow flattening (CFF) and optional VM virtualization.

Features

  • CLI input/output for Node.js and browser-targeted bundles
  • AST-level obfuscation: variable renaming, string encryption (Base64 + custom stream cipher / polymorphic variants), dead-code injection, control-flow flattening
  • Always runs Terser compression on output
  • Optional VM virtualization (covers common syntax; see limitations)
  • Optional anti-hook runtime guard (detects tampering of common built-ins)
  • VM opcode mapping randomization and mask obfuscation, fake opcode injection (configurable via vm.opcodeShuffle / vm.fakeOpcodes)
  • VM bytecode runtime decryption (can be disabled via vm.bytecodeEncrypt)
  • VM const pool runtime decryption (can be disabled via vm.constsEncrypt)
  • Highly modular plugin architecture for easy extension

Install

npm install

Usage

node bin/js-obf input.js -o output.js --preset high --vm --seed my-seed

Supports stdin (use - as input):

cat input.js | node bin/js-obf - -o output.js

Interactive script

Use the interactive script to choose features and specify input file/directory and output directory:

bash bin/obf.sh

If an input directory is provided, it will recursively obfuscate all .js files and overwrite them, automatically ignoring node_modules (also tolerates common misspellings of that directory name).

CLI options

  • -o, --output <file> Output file
  • --preset <high|balanced|low> Preset strength (default high)
  • --no-rename Disable variable renaming
  • --no-strings Disable string encryption
  • --no-cff Disable control-flow flattening
  • --no-dead Disable dead-code injection
  • --vm Enable VM virtualization (see limitations)
  • --vm-include name1,name2 Only virtualize the specified function names
  • --vm-opcode-shuffle Enable VM opcode random mapping (default on)
  • --no-vm-opcode-shuffle Disable VM opcode random mapping
  • --vm-fake-opcodes <0-1> Fake opcode injection probability (default 0.15)
  • --vm-bytecode Enable VM bytecode runtime decryption (default on)
  • --no-vm-bytecode Disable VM bytecode runtime decryption
  • --vm-consts Enable VM const pool runtime decryption (default on)
  • --no-vm-consts Disable VM const pool runtime decryption
  • --vm-downlevel Allow VM to downlevel let/const to var
  • --anti-hook Enable anti-hook runtime guard
  • --anti-hook-lock Enable anti-hook and freeze built-in prototype chains
  • --seed <value> PRNG seed
  • --ecma <version> Terser output ECMAScript version (default 2015)
  • --sourcemap Emit source map
  • --compact Compact output

Default output is ES2015 to preserve let/const. For ES5, set --ecma 5.

VM virtualization coverage

VM supports most common syntax while keeping performance and memory overhead reasonable:

  • Control flow: if/else, for/while/do-while, switch, break/continue
  • Exceptions: try/catch/finally (supports throw)
  • async/await (only inside async functions)
  • Variables: var (let/const are skipped by default; use --vm-downlevel to force)
  • Parameters: defaults, rest params, parameter destructuring (object/array)
  • Expressions: literals, member access, function calls, object/array literals, new, template strings, etc.

VM limitations

  • Generator function bodies are not virtualized (functions containing yield are skipped, but you can declare generators inside normal functions)
  • Optional chaining / nullish coalescing (?. / ??) not supported
  • spread (call/array/object) and object rest destructuring not supported
  • Destructuring assignment expressions are not supported (only parameter/variable declaration destructuring)
  • Complex or unsupported nodes are skipped for that function
  • VM uses the Function constructor to create closures; CSP-restricted environments may not run

Structure

  • src/index.js: core API
  • src/pipeline.js: plugin pipeline
  • src/plugins/*: obfuscation plugins
  • src/utils/*: utilities and RNG
  • bin/js-obf: CLI entry

License

MIT License. See LICENSE.

Third-Party Notices

Some dependencies require preserving author and license notices. See THIRD_PARTY_NOTICES.md.