What is VM Obfuscation?

Highest Security

VM obfuscation is the most advanced form of code protection. It transforms your JavaScript functions into custom bytecode that runs on a virtual machine embedded in the output. The original logic is completely hidden — no JavaScript to reverse-engineer.

See Before & After Example

Targeting Specific Functions

Recommended

For optimal performance, VM-obfuscate only your most sensitive code using vmTargetFunctionsMode.

Comment Mode (Recommended)

Root Mode (Default)

Strict Mode Compatibility

Important

VM obfuscation needs to know at compile time whether code runs in strict mode. If your code relies on strict mode behavior, you must explicitly declare it.

Why? The VM compiles your code into bytecode before execution. It needs to know the strict mode context during compilation to generate correct bytecode for strict-mode-specific behaviors (e.g., this binding, duplicate parameters, arguments object behavior).

File-Level Strict Mode

Function-Level Strict Mode

Common issue: If your bundler or build tool adds "use strict"; automatically (like Webpack in production mode), but you obfuscate the source before bundling, the VM won't know about strict mode. Either add the directive to your source files or obfuscate after bundling.

VM Options Reference

Core VM Options

Hardening Options

Advanced Options

Using the NPM Package

Pro

You can use VM obfuscation in your build pipeline via the javascript-obfuscator npm package. The obfuscatePro() method connects to the obfuscator.io cloud service for VM-based bytecode obfuscation.

Installation

npm install --save-dev javascript-obfuscator

Usage

const JavaScriptObfuscator = require('javascript-obfuscator');

const sourceCode = `
function calculatePrice(qty, price) {
    const discount = 0.15;
    return qty * price * (1 - discount);
}
`;

const result = await JavaScriptObfuscator.obfuscatePro(
    sourceCode,
    {
        vmObfuscation: true,
        vmObfuscationThreshold: 1,
        compact: true
    },
    {
        apiToken: process.env.OBFUSCATOR_API_TOKEN
    }
);

console.log(result.getObfuscatedCode());

Generate your API key from your dashboard settings. Requires a Pro, Team, or Business subscription.

Troubleshooting VM Obfuscation Issues

VM obfuscation is currently in Beta. While it has been tested extensively, some edge cases may still cause issues.

VM obfuscation completely transforms your code into custom bytecode. Ideally, this transformation should handle all possible code patterns and edge cases seamlessly. However, since VM obfuscation is currently in beta, there are still edge cases that may not be fully supported. This means that VM-obfuscated code must be carefully tested in at least all happy-path scenarios before deployment.

If your code doesn't work after VM obfuscation:

1. Narrow down the problematic code
Use vmTargetFunctionsMode: 'comment' to selectively VM-obfuscate specific functions. Add the /* javascript-obfuscator:vm */ comment only to individual functions and test incrementally to identify which function causes the issue.
2. Contact support with details
Email support@obfuscator.io with as much information as possible:
- Error message and stack trace
- Environment (browser/Node.js version)
- Obfuscator options/preset used
- Obfuscator version (shown in the bottom-right corner of the editor)
- Minimal code sample that reproduces the issue (ideally the narrowed-down problematic function)

To significantly simplify debugging on our side, ideally share your source code with us. If your code is proprietary and you cannot share it directly, we can sign an NDA. Understanding the original code pattern that causes an error is essential for diagnosing and fixing the issue.