JavaScript code obfuscation can evade static application security testing (SAST) tools, leading to undetected vulnerabilities and a false sense of security in the software supply chain. This work constructs a realistic threat model for software supply chains and presents the first systematic evaluation of eight semantics-preserving obfuscation techniques—individually and in combination—against mainstream JavaScript SAST tools, namely Njsscan and Bearer. Through a two-phase empirical analysis using both OWASP Benchmark applications and real-world GitHub projects, the study introduces a quantitative metric termed Vulnerability Detection Loss (VDL). Results demonstrate that even a single obfuscation technique significantly suppresses the detection of high-severity vulnerabilities, while multiple combined obfuscations drive VDL close to 100%, exposing fundamental fragility and a critical lack of robustness in current SAST tools when confronted with common obfuscation strategies.

Code obfuscation is widely adopted in modern software development to protect intellectual property and hinder reverse engineering, but it also provides attackers with a powerful means to conceal malicious logic inside otherwise legitimate JavaScript code. In a software supply chain where a single compromised package can affect thousands of applications, this raises a critical question: how robust are the Static Application Security Testing (SAST) tools that CI/CD pipelines rely on as automated security gatekeepers? This paper answers that question by empirically quantifying the impact of JavaScript obfuscation on state-of-practice SAST. We define a realistic supply-chain threat model in which an adversary injects vulnerable code and iteratively obfuscates it until the pipeline reports a clean scan. To measure the resulting degradation, we introduce the Vulnerability Detection Loss (VDL) metric and conduct a two-phase study. First, we analyze 16 vulnerable-by-design Node.js web applications from the OWASP directory; second, we extend the analysis to 260 in-the-wild JavaScript/Node.js projects from GitHub. Across both datasets, we apply eight semantics-preserving obfuscation techniques and their combinations and evaluate two representative SAST tools, Njsscan and Bearer. Even a single obfuscation technique typically suppresses most baseline findings, including high-severity issues, while stacking techniques yield near-total evasion, with VDL often approaching 100%. Our results show that current JavaScript SAST is fundamentally not robust against commonplace obfuscations and that "clean" reports on obfuscated code may offer only a false sense of security. Finally, we discuss practical mitigation guidelines and directions for obfuscation-aware analysis.