JavaScript Source Map Reverser — Extract original source code from .js.map files for security testing and bug bounty reconnaissance.
╦ ╦╔╗╔╔╦╗╔═╗╔═╗╔═╗╔═╗╦═╗
║ ║║║║║║║╠═╣╠═╝╠═╝║╣ ╠╦╝
╚═╝╝╚╝╩ ╩╩ ╩╩ ╩ ╚═╝╩╚═

| Feature |
Description |
| Local File Extraction |
Extract from local .map files |
| Directory Scanning |
Process all .map files in a directory |
| Remote URL Fetch |
Download and extract from remote .map URLs |
| JS Probing |
Probe .js files to find and extract their source maps |
| Page Spider |
Spider HTML pages to find all scripts with source maps |
| Colored Output |
Visual status indicators with ANSI colors |
# Extract from local file
unmapper app.js.map -o ./extracted
# Scan directory for all .map files
unmapper -s ./js/ -o ./sources
# Deep scan (recursive)
unmapper -s ./target/ -D -o ./sources
# Fetch and extract from .map URL directly
unmapper -u https://target.com/app.js.map -o ./out
# Probe a .js file for its source map
unmapper -P https://target.com/bundle.js -o ./out
# Spider a page and find all source maps
unmapper -S https://target.com/ -o ./out
| Option |
Description |
-s, --scan <path> |
Scan directory for .map files |
-D, --deep |
Scan directories recursively |
| Option |
Description |
-u, --url <url> |
Fetch and extract from .map URL directly |
-P, --probe <url> |
Probe a .js URL for its source map |
-S, --spider <url> |
Spider HTML page for all scripts |
| Option |
Description |
-h, --help |
Show help message |
-V, --version |
Show version |
-o, --out <path> |
Output directory (default: current) |
-q, --silent |
Suppress banner and progress |
-p, --prefix <path> |
Override sourceRoot field |
- Fetches the JavaScript file
- Looks for
//# sourceMappingURL= comment
- Falls back to common patterns (
app.js → app.js.map)
- Downloads and extracts the source map
- Fetches the HTML page
- Extracts all
<script src="..."> tags
- Probes each script for source maps
- Extracts all found source maps
╦ ╦╔╗╔╔╦╗╔═╗╔═╗╔═╗╔═╗╦═╗
║ ║║║║║║║╠═╣╠═╝╠═╝║╣ ╠╦╝
╚═╝╝╚╝╩ ╩╩ ╩╩ ╩ ╚═╝╩╚═ v1.2.0
─────────────────────────────────────
JavaScript Source Map Reverser
Extract source code from .js.map files
For authorized security testing only
[*] Probing JS file: https://target.com/app.js
[+] Found source map: https://target.com/app.js.map
[*] Detection method: sourceMappingURL
[*] Extracting to: ./out
═══════════════════════════════════════════════════════
✓ Extracted 156 source files
═══════════════════════════════════════════════════════
SUMMARY
├─ JS URL: app.js
├─ Map URL: app.js.map
├─ Files extracted: 156
└─ Output: ./out
const {
extractFromFile,
extractFromUrl,
probeJsUrl,
spiderPage
} = require('unmapper')
// Extract from local file
const result = await extractFromFile('app.js.map', './output')
// Extract from remote URL
const result = await extractFromUrl('https://target.com/app.js.map', './output')
// Probe a JS file for its source map
const probe = await probeJsUrl('https://target.com/app.js')
if (probe.ok && probe.hasSourcesContent) {
console.log('Map URL:', probe.mapUrl)
}
// Spider a page for all source maps
const spider = await spiderPage('https://target.com/')
console.log('Found maps:', spider.found.length)
Developers sometimes accidentally deploy source maps to production. This tool helps security researchers:
| Use Case |
Description |
| Reconnaissance |
Understand the application's internal structure |
| Code Review |
Find vulnerabilities in the original source |
| Secret Discovery |
Locate hardcoded API keys, endpoints, etc. |
MIT License - Felipe Fortunato