JS-Confuser: JavaScript Obfuscation Tool

2.0.1 · active · verified Wed Apr 22

JS-Confuser is an active JavaScript obfuscation tool designed to make code difficult to read and analyze, thereby protecting intellectual property and deterring reverse engineering. The current stable version is 2.0.1, which builds upon a significant 2.0.0 rewrite implemented with Babel, introducing a revamped API and enhanced obfuscation capabilities. The project maintains an active release cadence with frequent updates, bug fixes, and feature additions across minor and patch versions. Key differentiators include robust control flow obfuscation, advanced string concealing with randomized charsets, anti-tampering protection against runtime modifications, and anti-tooling measures designed to defeat common deobfuscators. It also offers features like variable renaming, function obfuscation, and integrity checks to detect unauthorized source code changes. The primary API, `obfuscate()`, is promise-based and returns an object containing the obfuscated code.

Common errors

```
TypeError: JsConfuser.obfuscate is not a function
```
cause This typically occurs when attempting to use a CJS `require` statement in an ESM context, or conversely, using a default import for a named export, leading to the `obfuscate` function not being correctly resolved.

fix For ESM projects, use `import { obfuscate } from 'js-confuser';`. For CommonJS, use `const JsConfuser = require('js-confuser');` and then call `JsConfuser.obfuscate(...)`.
```
TypeError: Cannot read properties of undefined (reading 'code')
```
cause This error signifies that the result of the `obfuscate()` call is not an object with a `code` property, which often happens when the Promise returned by `obfuscate` is not correctly awaited or handled with `.then()` (a breaking change in v2.0.0).

fix Ensure you `await` the `obfuscate` function or chain a `.then()` call, then access `result.code`. Example: `const { code } = await obfuscate(...);` or `obfuscate(...).then(result => console.log(result.code));`
```
ReferenceError: require is not defined
```
cause This error indicates that you are attempting to use the CommonJS `require()` function within an ECMAScript Module (ESM) file or environment.

fix Change your import statement to use ESM syntax: `import { obfuscate } from 'js-confuser';`. If you must use CommonJS in an ESM project, consider using dynamic `import()` or configuring your build tool accordingly.
```
SyntaxError: Unexpected token '...' (or similar parsing errors in obfuscated code)
```
cause The generated obfuscated code contains syntax incompatible with the JavaScript engine executing it. This is usually due to an incorrect `target` option in the obfuscation configuration, or the input code using modern features not transpiled for the target.

fix Verify that the `target` option (e.g., 'es5', 'browser', 'node') matches the environment where the obfuscated code will run. If using modern JavaScript features in your input, consider setting `es5: true` in options if targeting older runtimes, or ensure your target environment supports the generated syntax.

Warnings

breaking Version 2.0.0 introduced a complete rewrite of the library, resulting in significant API changes. The `JSConfuser.obfuscate()` function (or the named `obfuscate` export) now returns a Promise that resolves to an object with a `code` property (`{ code: string }`), rather than directly returning the obfuscated code string.
Fix: Update your code to correctly handle the Promise and access the `code` property. Use `const { code } = await obfuscate(...)` or `obfuscate(...).then(result => result.code)`.
gotcha As of version 2.0.1, the `preserveFunctionLength` option is disabled by default. This change means that the `length` property of obfuscated functions may no longer reflect their original arity, which can break applications relying on `Function.prototype.length` for reflection or runtime checks.
Fix: If preserving `Function.prototype.length` is essential for your application's functionality, explicitly set `preserveFunctionLength: true` in your obfuscation options.
gotcha The `target` option (e.g., 'node', 'browser') is critical for generating JavaScript code compatible with your intended runtime environment. An incorrect `target` can lead to syntax errors or unexpected behavior in the obfuscated output.
Fix: Always ensure the `target` option accurately matches the environment where your obfuscated code will be executed. Review the generated code if you encounter runtime parsing or execution errors.
gotcha While powerful, aggressive obfuscation presets (e.g., `preset: 'high'`, `preset: 'extreme'`) or certain options like `stringEncoding: true` can significantly increase the size of the generated code and potentially degrade runtime performance, especially for large codebases.
Fix: Carefully balance obfuscation strength with performance requirements. Conduct thorough testing with different presets and options to find an optimal configuration for your specific application without introducing unacceptable overhead.
gotcha Features such as `Tamper Protection` and `selfDefending` introduce runtime integrity checks that can make debugging obfuscated code extremely challenging, even during development. They are designed to prevent analysis but also hinder legitimate debugging efforts.
Fix: It is strongly recommended to disable `Tamper Protection`, `selfDefending`, and similar high-security features during development and debugging phases. Only enable them for production builds after extensive testing.

Install

npm install js-confuser npm
yarn add js-confuser yarn
pnpm add js-confuser pnpm

Imports

obfuscate
wrong:
```
import JsConfuser from 'js-confuser'; JsConfuser.obfuscate(...)
```
correct:
```
import { obfuscate } from 'js-confuser';
```
Since v2.0.0, `obfuscate` is the primary named export for ESM. Attempting to use a default import `JsConfuser` in ESM for direct API access is incorrect for modern usage.
JsConfuser
wrong:
```
import JsConfuser from 'js-confuser';
```
correct:
```
const JsConfuser = require('js-confuser');
```
For CommonJS environments, `require` is the correct way to import the module. The `obfuscate` function is then accessed as a property of the imported `JsConfuser` object (e.g., `JsConfuser.obfuscate`). Using `import` syntax will cause errors in CJS-only environments.
ObfuscateOptions
```
import type { ObfuscateOptions } from 'js-confuser';
```
TypeScript users can import the `ObfuscateOptions` interface to ensure type-safety and benefit from autocompletion when defining obfuscation configuration objects.

Quickstart

Demonstrates how to import and use the promise-based `obfuscate` function with a simple code snippet, showcasing a typical configuration and how to access the resulting obfuscated code from the resolved object.

import { obfuscate } from 'js-confuser';

const originalCode = `
  function calculateFibonacci(n) {
    let a = 0, b = 1, temp;
    for (let i = 2; i <= n; i++) {
      temp = a + b;
      a = b;
      b = temp;
    }
    return b;
  }

  const result = calculateFibonacci(10);
  console.log('Fibonacci(10):', result);
`;

obfuscate(originalCode, {
  target: 'browser', // Or 'node' depending on your target environment
  preset: 'high',     // Choose a preset like 'low', 'medium', 'high', 'extreme'
  stringEncoding: true,
  // es5: true,       // Uncomment if targeting older JavaScript environments
})
.then(result => {
  console.log('--- Obfuscated Code ---');
  console.log(result.code);
  // To execute the obfuscated code (use with caution, especially with untrusted code):
  // try {
  //   eval(result.code);
  // } catch (e) {
  //   console.error('Error executing obfuscated code:', e);
  // }
})
.catch(error => {
  console.error('Obfuscation failed:', error);
});

view raw JSON →