The package uses importScripts and eval, which can be used for arbitrary code execution, but it is a legitimate use case for this bundler.
No verification record available.
The provided evidence highlights the use of importScripts and eval in wasi-worker.mjs, which can lead to arbitrary code execution. However, the documentation states that the package is a low-level bundler that legitimately uses importScripts with eval for worker threads to load additional logic dynamically. Therefore, this behavior is not necessarily malicious in this specific scenario, and I don't have enough evidence to classify it as malware.
