@apiwizards/auth-middleware @4.7.0

Summary

The package advertises itself as auth middleware but its main entry (index.js) is a 21KB obfuscator.io-packed file that, on require, performs a hidden download-and-execute pipeline. The single-file main uses an RC4-decoded 273-entry string array and control-flow flattening to conceal its require targets and network destination. On load it requires fs/os/path/child_process plus an HTTP client, installs no-op handlers for uncaughtException/unhandledRejection to suppress errors, constructs a host string via chained replaceAll calls on an obfuscated literal, performs an HTTP GET, writes the response body to disk with flag 'w+', and then invokes child_process.exec on the fetched bytes with windowsHide:true and cwd=process.cwd(). Any service that imports this package executes attacker-controlled remote code in its process context. The package.json has empty description and author and uses a generic name ( @apiwizards/auth-middleware ) consistent with namespace abuse targeting developers searching for an auth library.

Source: amazon-inspector (ba0f33946c3dd0624d21c0e99beb12f22b880bc126a3474753b38a9799fc5293)