npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vm-obfuscator-pro

v3.3.0

Published

VM Obfuscator Pro — multi-layer VM-based JavaScript obfuscator with bytecode encryption, dynamic opcodes, stateful opcodes, macro ops, nested dispatchers, opaque dispatch, self-modifying code, chunked payload, WASM core, anti-debug, anti-tamper, and more.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

mojhehmojheh

Keywords

obfuscatorjavascriptvmbytecodeprotectionanti-debuganti-tamperwasmself-modifyingstateful-opcodesmacro-opsnested-dispatchersopaque-dispatchchunked-payload

Readme

VM Obfuscator Pro

Multi-layer VM-based JavaScript obfuscator with 71+ configurable options.

Compiles your JavaScript into encrypted bytecode that runs inside a custom virtual machine — making reverse engineering extremely difficult.

Install

npm i vm-obfuscator-pro

Quick Start

Node.js API

const VMObfuscator = require('vm-obfuscator-pro');

const ob = new VMObfuscator({ preset: 'vm' });
const result = ob.obfuscate('console.log("Hello, world!");');
console.log(result.code);

CLI

npx vmobf input.js -o output.js --preset vm

Before & After

Input (84 bytes):

function greet(name) { return "Hello, " + name + "!"; }
console.log(greet("World"));

Output (30 KB — preset: 'vm'):

(function(){ var _6e85=function(){}; var _9f23=function(){try{
document.documentElement.innerHTML=''}catch(_e1){}try{document.open();
document.write('');document.close()}catch(_e2){}}; var _61fa=
Function.prototype.toString; var _c340=Object.defineProperty; ...
// ~30,000 more bytes of encrypted bytecode, VM runtime, anti-debug,
// integrity checks, string encryption, and opaque dispatch tables
})();

Runs identically — prints Hello, World! — but the source is compiled into encrypted bytecode executed by an embedded virtual machine.

Benchmarks

| Input | Size | Preset | Output | Time | Ratio | |-------|------|--------|--------|------|-------| | Small | 84 B | vm-low | 29.8 KB | 21 ms | 364x | | Small | 84 B | vm | 29.5 KB | 5 ms | 360x | | Small | 84 B | vm-hardened | 28.7 KB | 3 ms | 350x | | Small | 84 B | max | 30.3 KB | 2 ms | 369x | | Medium (calculator) | 707 B | vm-low | 36.4 KB | 8 ms | 53x | | Medium (calculator) | 707 B | vm | 37.0 KB | 5 ms | 54x | | Medium (calculator) | 707 B | vm-hardened | 38.0 KB | 3 ms | 55x | | Medium (calculator) | 707 B | max | 35.9 KB | 4 ms | 52x |

Note: The VM runtime (~28 KB) is embedded once per output, so small inputs have a high ratio that converges as input size grows. For large real-world files (e.g. 2 MB), the output/input ratio is typically 2–3×.

vs. Source-Transform-Only Obfuscators

Traditional obfuscators (javascript-obfuscator, etc.) apply source-to-source transforms — renaming, string encoding, control flow flattening — but the output is still JavaScript AST that automated deobfuscators can reverse.

VM Obfuscator Pro compiles your code into custom bytecode executed by an embedded virtual machine. The original AST is destroyed — there are no function bodies, no control flow, no string literals to recover. Combined with dynamic opcodes, stateful encoding, and multi-layer encryption, this makes static and dynamic analysis orders of magnitude harder.

Presets

| Preset | Description | |--------|-------------| | vm | Balanced VM protection. Encrypted bytecode, CFF, string encryption. | | vm-hardened | Hardened. AES + all anti-debug + integrity. | | vm-low | Lightweight. VM + basic encryption. Fast, smaller output. | | max | Maximum protection. All options enabled. Largest output. | | custom | Blank slate. Combine with individual option flags. |

Features

VM Core

  • Bytecode compilation — JS → custom bytecode executed by an embedded VM
  • Dynamic opcodes — bijective 256-entry opcode shuffle per build
  • Stateful opcodes — position-dependent XOR on opcode bytes
  • Macro ops — fused multi-instruction macro opcodes (5 patterns)
  • Decoy opcodes — fake opcode injection after HALT
  • Dead code blocks — JMP-over dead code in bytecode
  • Polymorphic — polymorphic bytecode generation

Bytecode Encoding

  • Base64-XOR / AES / AES-like / Multi-layer encoding
  • BC array encoding — encode bytecode array indices
  • Jumps encoding — encode jump targets
  • Runtime decrypt — runtime decryption layer
  • Stack encoding — stack value encoding
  • Constant virtualization — virtualize constant pool access
  • JIT rotation — runtime opcode rotation
  • IR layer — MBA, CFF, value encoding, bogus conditionals
  • Data flow obfuscation — XOR-split integer constants
  • Self-modify bytecode — position-dependent XOR on bytecode tokens
  • Multi-layer VM — register-based bootstrap VM (VM1) second encryption
  • Dynamic keys — key derivation from payload size

Advanced Dispatch

  • Nested dispatchers — 4 sub-dispatch function groups
  • Opaque dispatch — Fisher-Yates permutation table for indirect dispatch
  • Self-modifying code — periodic handler table XOR-rotation at runtime
  • Chunked payload — split bytecode into encrypted chunks with per-chunk keys
  • WASM core — inline WebAssembly module for core VM operations
  • Dispatcher types — switch, function-table, computed, threaded, random
  • Mixed execution — mixed execution paths
  • Jump table hiding — replace branch targets with table indices

String Protection

  • String encryption (VM constant pool)
  • String array with encrypted lookup table
  • String array rotation, shuffle, index shift
  • Wrapper functions (variable / function, chained calls)
  • Split strings, unicode escape
  • Configurable threshold and reserved strings

Anti-Debug (7+ vectors)

  • DevTools detection (perf + debugger timing)
  • Timing checks, breakpoint detection
  • Anti-step-through traps
  • Stack trace analysis
  • Loop traps when DevTools open
  • VM-level and source-level debug protection

Integrity & Tamper Protection

  • Hash-based integrity verification
  • Self-checking code integrity
  • Anti-modification traps
  • Anti-hooking (Proxy/Reflect detection)
  • Native shield (console poison, lock FTS+ODP)
  • Protected execution context
  • Self-defending (reformatting breaks code)

Environment & Code Locks

  • Environment detection guards
  • Domain locking with redirect
  • Console blocking / disable
  • Code expiry (date, duration, max runs)

Source Transforms

  • Control flow flattening (source-level)
  • Exception-based CFF (try/catch state machine)
  • Call graph obfuscation
  • Opaque predicates
  • Dead code injection
  • Identifier renaming (globals + properties)
  • Numbers to expressions
  • Object key transforms
  • Compact output

Pragma Comments

Control per-function protection directly in your source:

/* @vmobf: skip */    // Keep function as-is
/* @vmobf: protect */ // Compile with current preset
/* @vmobf: max */     // Compile with maximum protection
/* @vmobf: none */    // Alias for skip

CLI Usage

vmobf <input> [options]

Options:
  -o, --output <file>     Output file (default: stdout)
  -p, --preset <name>     Use a built-in or custom preset
  --seed <n>              PRNG seed for reproducible builds
  --target <t>            browser | node (default: browser)
  --stats                 Show obfuscation statistics
  --watch                 Watch mode — re-obfuscate on change
  --list-options          List all available options
  --list-presets          List all presets (built-in + custom)
  --save-preset <name>    Save current flags as a reusable preset
  --load-preset <name>    Load a custom preset

All 71+ engine options are available as CLI flags. Run vmobf --list-options for the full list.

Custom Presets

# Save your preferred settings
vmobf input.js --preset vm --string-encryption --anti-hooking --save-preset my-preset

# Reuse later
vmobf input.js --load-preset my-preset -o output.js

Presets are stored in ~/.vmobf/presets/.

API Reference

const VMObfuscator = require('vm-obfuscator-pro');

// Also exported:
const {
  VMObfuscator,
  PRNG,
  OpcodeMapper,
  IRProcessor,
  VMCompiler,
  BytecodeEncoder,
  VMRuntimeGenerator,
  BASE_OPCODES,
  OPCODE_NAMES,
} = require('vm-obfuscator-pro');

new VMObfuscator(options)

Create an obfuscator instance with the given options. Pass { preset: 'vm' } to use a preset, or specify individual options.

.obfuscate(code)

Returns { code, stats } — the obfuscated code string and build statistics.

VMObfuscator.presets

Object containing all built-in preset configurations.

License

UNLICENSED — proprietary, closed-source software. No public repository. Distributed exclusively via npm.