{"id":"https://openalex.org/W7148439052","doi":"https://doi.org/10.48550/arxiv.2604.01131","title":"Obfuscating Code Vulnerabilities against Static Analysis in JavaScript Code","display_name":"Obfuscating Code Vulnerabilities against Static Analysis in JavaScript Code","publication_year":2026,"publication_date":"2026-04-01","ids":{"openalex":"https://openalex.org/W7148439052","doi":"https://doi.org/10.48550/arxiv.2604.01131"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.01131","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.01131","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.01131","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5102812019","display_name":"Francesco Pagano","orcid":"https://orcid.org/0000-0003-1485-0068"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Pagano, Francesco","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5104421737","display_name":"Lorenzo Pisu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Pisu, Lorenzo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5064107592","display_name":"Leonardo Regano","orcid":"https://orcid.org/0000-0002-9259-5157"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Regano, Leonardo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5051452548","display_name":"Davide Maiorca","orcid":"https://orcid.org/0000-0003-2640-4663"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Maiorca, Davide","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5077703323","display_name":"Alessio Merlo","orcid":"https://orcid.org/0000-0002-2272-2376"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Merlo, Alessio","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5075367917","display_name":"Giorgio Giacinto","orcid":"https://orcid.org/0000-0002-5759-3017"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Giacinto, Giorgio","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5102812019"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.46230000257492065,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.46230000257492065,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.14180000126361847,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.11940000206232071,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/obfuscation","display_name":"Obfuscation","score":0.9014000296592712},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.8154000043869019},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.6638000011444092},{"id":"https://openalex.org/keywords/static-program-analysis","display_name":"Static program analysis","score":0.5440999865531921},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.5332000255584717},{"id":"https://openalex.org/keywords/reverse-engineering","display_name":"Reverse engineering","score":0.48840001225471497},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.46959999203681946},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.41290000081062317},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.40689998865127563}],"concepts":[{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.9014000296592712},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8187999725341797},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.8154000043869019},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.6638000011444092},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6262000203132629},{"id":"https://openalex.org/C137287247","wikidata":"https://www.wikidata.org/wiki/Q1329550","display_name":"Static program analysis","level":4,"score":0.5440999865531921},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.5332000255584717},{"id":"https://openalex.org/C207850805","wikidata":"https://www.wikidata.org/wiki/Q269608","display_name":"Reverse engineering","level":2,"score":0.48840001225471497},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.46959999203681946},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.41290000081062317},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.40689998865127563},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.36329999566078186},{"id":"https://openalex.org/C2779639559","wikidata":"https://www.wikidata.org/wiki/Q7661178","display_name":"Symbolic execution","level":3,"score":0.35580000281333923},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.3538999855518341},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.35370001196861267},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.33799999952316284},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.3375000059604645},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.32269999384880066},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.3197000026702881},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.31949999928474426},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.30979999899864197},{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.29170000553131104},{"id":"https://openalex.org/C2780654840","wikidata":"https://www.wikidata.org/wiki/Q333341","display_name":"Abstract interpretation","level":2,"score":0.29170000553131104},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.28929999470710754},{"id":"https://openalex.org/C137922610","wikidata":"https://www.wikidata.org/wiki/Q2093","display_name":"Document Object Model","level":3,"score":0.27639999985694885},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.2630000114440918},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.2621999979019165},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.2621000111103058},{"id":"https://openalex.org/C189950617","wikidata":"https://www.wikidata.org/wiki/Q937228","display_name":"Property (philosophy)","level":2,"score":0.26190000772476196},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.2614000141620636}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.01131","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.01131","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.01131","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.01131","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.5681471824645996}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Code":[0],"obfuscation":[1,86,164,181],"is":[2,209],"widely":[3],"adopted":[4],"in":[5,97],"modern":[6],"software":[7,37],"development":[8],"to":[9,26,150],"protect":[10],"intellectual":[11],"property":[12],"and":[13,104,128,166,169,176,216,237],"hinder":[14],"reverse":[15],"engineering,":[16],"but":[17],"it":[18,107],"also":[19],"provides":[20],"attackers":[21],"with":[22,197],"a":[23,36,41,52,92,112,130,179,226],"powerful":[24],"means":[25],"conceal":[27],"malicious":[28],"logic":[29],"inside":[30],"otherwise":[31],"legitimate":[32],"JavaScript":[33,85,207],"code.":[34],"In":[35],"supply":[38],"chain":[39],"where":[40],"single":[42,180],"compromised":[43],"package":[44],"can":[45],"affect":[46],"thousands":[47],"of":[48,84,229],"applications,":[49],"this":[50],"raises":[51],"critical":[53],"question:":[54],"how":[55],"robust":[56,212],"are":[57],"the":[58,82,109,117,122,142,148],"Static":[59],"Application":[60],"Security":[61],"Testing":[62],"(SAST)":[63],"tools":[64],"that":[65,77,205,217],"CI/CD":[66],"pipelines":[67],"rely":[68],"on":[69,87,220],"as":[70],"automated":[71],"security":[72],"gatekeepers?":[73],"This":[74],"paper":[75],"answers":[76],"question":[78],"by":[79],"empirically":[80],"quantifying":[81],"impact":[83],"state-of-practice":[88],"SAST.":[89],"We":[90],"define":[91],"realistic":[93],"supply-chain":[94],"threat":[95],"model":[96],"which":[98],"an":[99],"adversary":[100],"injects":[101],"vulnerable":[102],"code":[103,222],"iteratively":[105],"obfuscates":[106],"until":[108],"pipeline":[110],"reports":[111,219],"clean":[113],"scan.":[114],"To":[115],"measure":[116],"resulting":[118],"degradation,":[119],"we":[120,134,146,160,232],"introduce":[121],"Vulnerability":[123],"Detection":[124],"Loss":[125],"(VDL)":[126],"metric":[127],"conduct":[129],"two-phase":[131],"study.":[132],"First,":[133],"analyze":[135],"16":[136],"vulnerable-by-design":[137],"Node.js":[138],"web":[139],"applications":[140],"from":[141,155],"OWASP":[143],"directory;":[144],"second,":[145],"extend":[147],"analysis":[149],"260":[151],"in-the-wild":[152],"JavaScript/Node.js":[153],"projects":[154],"GitHub.":[156],"Across":[157],"both":[158],"datasets,":[159],"apply":[161],"eight":[162],"semantics-preserving":[163],"techniques":[165,193],"their":[167],"combinations":[168],"evaluate":[170],"two":[171],"representative":[172],"SAST":[173,208],"tools,":[174],"Njsscan":[175],"Bearer.":[177],"Even":[178],"technique":[182],"typically":[183],"suppresses":[184],"most":[185],"baseline":[186],"findings,":[187],"including":[188],"high-severity":[189],"issues,":[190],"while":[191],"stacking":[192],"yield":[194],"near-total":[195],"evasion,":[196],"VDL":[198],"often":[199],"approaching":[200],"100%.":[201],"Our":[202],"results":[203],"show":[204],"current":[206],"fundamentally":[210],"not":[211],"against":[213],"commonplace":[214],"obfuscations":[215],"\"clean\"":[218],"obfuscated":[221],"may":[223],"offer":[224],"only":[225],"false":[227],"sense":[228],"security.":[230],"Finally,":[231],"discuss":[233],"practical":[234],"mitigation":[235],"guidelines":[236],"directions":[238],"for":[239],"obfuscation-aware":[240],"analysis.":[241]},"counts_by_year":[],"updated_date":"2026-04-03T16:44:17.987007","created_date":"2026-04-03T00:00:00"}