@apiwizards/auth-middleware @5.1.2

Summary

@apiwizards/auth-middleware@5.1.2 ships a single heavily obfuscated index.js (obfuscator.io string-array with 317 entries, RC4+base64 decoder, array-rotation self-defending wrapper) that is the package's declared main. On require(), a top-level IIFE loads os/fs/child_process/crypto/path and an HTTP client, performs an HTTPS GET against a hardcoded URL constructed from a base concatenated with the package version, splits the response on ':' into key/iv/ciphertext, AES-decrypts the body via crypto.createDecipheriv, writes the cleartext to a file under os.tmpdir() with flag 'w+', and executes it via child_process (execSync with windowsHide and a cwd derived from process.cwd()). No hash or signature verification is performed and errors are silenced via process.on('uncaughtException'). The package advertises itself as an auth middleware but ships no module.exports, no auth/login/verify/sign symbols, and empty description/author/keywords — the entire payload is the dropper. Any consumer that installs the package and require()s it (directly or transitively) will execute attacker-controlled bytes fetched from a non-publisher endpoint.

Source: amazon-inspector (718ca10ce0670edf6756b4ff0bd05e43526ebd516396a34074acf844116e7254)