ROT13 with eval() Payload Obfuscation

discovered 2026-06-26

4.8 MB index.js payload obfuscated with a fixed ROT13 shift and executed via direct eval(). Wave 5 simplification vs Wave 4 (LeoPlatform): no AES-128-GCM decryption layer, no per-package key variation. ROT13 is statically recoverable without key material. Payload content post-eval is unconfirmed (analysis ongoing as of 2026-06-26).

Seen in packages

Campaigns