The safest way to ship JavaScript. Full stop.
Package manager. Bundler. Encryptor. Compiler. The only JavaScript toolchain that ships encrypted native binaries with debugger detection, zero disk source delivery, and per build randomised keys. One tool.
Built so attackers fail.
Every other JavaScript toolchain ships readable source — minified at best, decompilable at worst. cXpher ships a hardened native binary with the source never reaching disk.
Strong symmetric encryption
AES-256-GCM with per build cryptographically random keying material. No two binaries from the same source share a key, a layout, or an ordering. Bulk extraction is mathematically impossible.
Zero disk source delivery
Decrypted source streams directly into the JavaScript interpreter through an in-memory channel. No filesystem entry. No path. No name to grep for. Your source has no presence on the disk at any point.
Native debugger resistance
Linux, macOS, and Windows each ship platform specific runtime checks that detect debugger attachment and exit silently. The exits are silent on purpose — an attacker cannot learn which check fired.
Timing attack detection
The runtime self monitors execution timing against a tight budget. Single step debugging blows the budget and the process exits silently within milliseconds. No state escapes.
Cross compilation, one command
One cxpher compile-all produces native binaries for Linux x64/x86/ARM64/ARM32, macOS x64/ARM64, Windows x64/ARM64 plus a generated Node CLI wrapper. Ship the whole matrix as one npm package.
Full package manager
Dependency resolution, global content addressable store, lockfile management, parallel installation, multi registry fallback, framework auto detection, local file: and link: protocols. Drop-in for npm, yarn, pnpm, bun.
Four stages. One binary.
Source goes in. A platform-specific encrypted native executable comes out. Every component of every build is unique.
Your project source and every node_modules dependency collapses into a single self contained JavaScript blob. Zero external requirements at runtime.
The bundle is wrapped, encrypted with per build random keying, and the key is decomposed across the binary in a layout that's different for every build. Bulk extraction across versions is impossible.
Platform specific runtime containing the encrypted payload, key reconstruction logic, anti tampering checks, and the in memory source delivery channel.
GCC, Clang, MinGW, or MSVC produces a standard ELF, Mach-O, or PE executable. No runtime dependency on OpenSSL or libcrypto. Just libc.
cXpher vs everything else.
There is currently no production grade JavaScript packaging solution that takes source protection seriously. Except cXpher.
| Capability | npm | yarn | pnpm | bun | cXpher |
|---|---|---|---|---|---|
| Package management | ✓ | ✓ | ✓ | ✓ | ✓ |
| Bundling | ✗ | ✗ | ✗ | ✓ | ✓ |
| Source encryption | ✗ | ✗ | ✗ | ✗ | AES-256-GCM |
| Native binary output | ✗ | ✗ | ✗ | bytecode | native ELF/Mach-O/PE |
| Standalone (Node SEA) | ✗ | ✗ | ✗ | ✗ | ✓ |
| Per build randomised keying | ✗ | ✗ | ✗ | ✗ | ✓ |
| Zero disk source delivery | ✗ | ✗ | ✗ | ✗ | ✓ |
| Native debugger detection | ✗ | ✗ | ✗ | ✗ | Linux + macOS + Windows |
| Anti tampering timing checks | ✗ | ✗ | ✗ | ✗ | ✓ |
| Cross platform compilation | ✗ | ✗ | ✗ | ✗ | 10 targets |
| Single pass multi target build | ✗ | ✗ | ✗ | ✗ | compile-all |
| Content addressable store | ✗ | ✗ | ✓ | ✗ | ✓ |
| Hardlink installs | ✗ | ✗ | ✓ | ✗ | ✓ |
| HTTP keep alive pooling | ✗ | ✗ | ✓ | ✓ | ✓ |
| Multi registry fallback | ✗ | ✗ | ✗ | ✗ | npm → yarn → jsr → github |
From install to encrypted binary in three commands.
1 · Install globally
bashnpm install -g cxpher
2 · Initialise a project
bashcxpher init -y
cxpher add express
3 · Compile to encrypted binary
bashcxpher compile
# or standalone, embeds Node
cxpher compile --standalone
4 · Ship the whole matrix
bashcxpher compile-all --arm
# 8 native binaries + CLI wrapper
Stop shipping your source.
cXpher is free, MIT licensed, on npm and GitLab. Just cXpher it.