September 19, 2014

Publish Your Scrambled Code Through npm

By José Magalhães | 2 min read

Publish Your Scrambled Code Through npm

Now that Jscrambler fully supports Node.js it’s time to start publishing our obfuscated libs through npm. In this article we’ll create a simple express hello world application with a build process that obfuscates all your code, ready to publish, while preventing your source code from being published. We’ll use Grunt to setup all of our fancy tasks.

First we create our application’s package.json:

    "name": "jscrambler-node-example",
    "version": "0.0.0",
    "private": true,
    "main": "index"

Notice that we’re setting private as true to avoid publishing the source code by mistake when using npm publish. Through the shell, let’s install our only non development dependency:

npm install express--save

Now hands on the application logic inside index.js:

var app = require('express')();
app.get('/', function(req, res) {
    res.send('Hello world!');

It’s a pretty useful application, isn’t it? What really matters is to setup our build tasks inside Gruntfile.js, but first we’ll install our development dependencies:

npm install grunt grunt - jscrambler grunt - contrib - clean grunt - replace--save - dev
exports = module.exports = function(grunt) {
        clean: {
            dist: ['dist/']
        jscrambler: {
            main: {
                options: {
                    keys: grunt.file.readJSON('jscrambler_keys.json'),
                    deleteProject: true
                params: {
                    "whitespace": "%DEFAULT%",
                    "rename_local": "%DEFAULT%",
                    "dot_notation_elimination": "%DEFAULT%",
                    "function_outlining": "%DEFAULT%",
                    "dead_code_injection": "%DEFAULT%",
                    "string_splitting": "%DEFAULT%",
                    "literal_duplicates": "%DEFAULT%",
                    "literal_hooking": "%DEFAULT%",
                    "dead_code_elimination": "%DEFAULT%",
                    "self_defending": "%DEFAULT%"
                files: [{
                    src: ['**', '!node_modules/**'],
                    dest: 'dist/'
        replace: {
            dist: {
                options: {
                    patterns: [{
                        match: /"private": true/g,
                        replacement: '"private": false'
                files: [{
                    src: ['dist/package.json'],
                    dest: 'dist/package.json',
                    cwd: '.'


    grunt.registerTask('default', ['build']);
    grunt.registerTask('build', ['clean', 'jscrambler', 'replace']);


The build task obfuscates all the source code into a folder named dist and sets private as false inside the distributable version of package.json.

Finally to build and publish just type grunt && cd dist && npm publish on the shell.

With this approach there are many benefits:

  • Deobfuscated code will never get published by mistake
  • Obfuscating the code is pain free
  • Publishing the code only takes one extra step prior to npm publish

Time to let those Rubik’s nodes out!

José Magalhães404 bio not found
View All Posts

Subscribe to our weekly newsletter

Learn more about new security threats and technologies.

Projeto Co-Financiado por (Mais info)Norte 2020, Portugal 2020, FEDR