Some JavaScript functions are just more dangerous.
These 5 are common in obfuscated, injected, or malicious scripts:
1. eval()
Executes any string as JavaScript.
eval(“alert(‘hacked’)”);
🔴 Widely abused in skimmers and obfuscation layers.
2. Function()
Dynamic code constructor.
let f = new Function("return 2+2");
🔴 Same risks as eval, harder to detect.
3. setTimeout() with strings
setTimeout("stealData()", 1000);
🔴 Allows delayed injection attacks.
4. document.write()
document.write('<script src="evil.js">');
🔴 Can overwrite the DOM and CSP protections.
5. atob() / btoa()
Used in decoding/encoding Base64 — often seen in obfuscation.
Breachfin watches for these in:
- New scripts
- DOM-modified scripts
- Unexpected inline content
When we see them in unknown sources, you get notified — instantly.
