Research & Release Notes

AI-aware JavaScript protection, written down.

Long-form articles on what AI assistants can and cannot do with obfuscated JavaScript, how Maximum-mode transforms hold up against modern reverse engineering, and how teams put protection into release workflows.

Featured Article
Vendor Comparison 2026-04-26 ~10 min read

JavaScript VM protection compared — Jscrambler, JSDefender, Verimatrix, OSS virtualizers

Vendor by vendor on JavaScript bytecode VM protection. What Jscrambler, PreEmptive JSDefender, Verimatrix Code Protection, Digital.ai Application Protection, and the open-source virtualizers actually ship. Where JSO’s selective per-function virtualization fits. Includes a budget-band decision framework.

Read the full comparison

More research and roadmap

Newest first
Supply-chain integrity · Shipped 2026-05-28 ~7 min read

Watermarks + signed attestations for protected JavaScript

HMAC-SHA256 watermarks that survive every obfuscation transform, Ed25519-signed release attestations with two-stage verify, pre-flight quota gates, bulk forensic scanner. Cross-language verified across Node, Python, and .NET. Wire format is open. Six lines of GitHub Action YAML covers the whole stack.

Read article ›
JSO AI · Phase 1 shipped Updated 2026-06-06 ~5 min read

JSO AI previews and BYO keys are live

Four endpoints, three browser previews, encrypted OpenAI / Claude account keys, Prometheus usage export, JSON Schema, language client snippets, and RSS. Preview mode works without a key; BYO keys turn the same endpoints into live AI for that account.

Read article ›
Maximum Mode · VM Bytecode Beta Updated 2026-06-06 ~8 min read

VM-based protection for selected sensitive functions

Eligible Corporate+ accounts can test bytecode virtualization for small pieces of high-value JavaScript. The design tradeoffs and why it is opt-in per function rather than whole-bundle default.

Read article ›
AI-Aware Research 2026-05-20 ~10 min read

CASCADE and the LLM-deobfuscator question

Google’s CASCADE pairs Gemini with a JavaScript IR to deobfuscate at scale. What the paper actually does, where per-build polymorphism alone falls short against prelude-detection, and what’s on the JSO roadmap to answer it.

Read article ›
Resistance Score · Planned 2026-05-20 ~8 min read

The Resistance Score: planned evidence for AI-resistance claims

Every obfuscator markets “AI-resistant,” almost none ship a way to check it. The artifact JSO is designing to make the claim reviewable: a named adversarial probe, a source-free report, and recovery categories.

Read article ›
AI-Aware Research 2026-04-25 ~9 min read

Can ChatGPT, Claude, or Copilot reverse-engineer obfuscated JavaScript?

A direct technical answer for 2026. What today’s AI assistants can actually deobfuscate, where they break down structurally, and why per-build polymorphic decoders disrupt the pattern-matching approach LLMs rely on.

Read article ›

More articles coming

We publish on AI-aware protection, modern JavaScript build integration, runtime evidence, and how obfuscation fits with server-side authority. New posts are linked from the homepage when they go live.