@bytemend/mfebus @1.4.5

Summary

The package advertises itself as a small in-memory pubsub library but its main entry dist/index.js eagerly require() s dist/bootstrap.js , a 277KB obfuscator.io-protected blob (string-array rotation, control-flow flattening, RC4 string decoder, self-defending wrappers) whose decoded behavior is a remote-code dropper. On require — and automatically when the module is loaded inside a forked Node child via maybeInstallAutoIpc() / addIpcTarget(process) — the bootstrap: (1) re-spawns process.execPath detached with the original argv and an env-var sentinel as an anti-analysis re-entry guard ( child_process.spawn(process.execPath, process.argv.slice(1), { detached:true, windowsHide:true, stdio:'ignore' }) followed by unref() ); (2) opens an HTTPS request to a destination resolved from RC4-decrypted strings, follows redirects, and writes the response under os.homedir()/.cache/<dir>/ ; (3) verifies a SHA-256 against a sidecar metadata file and then require() s the downloaded payload, executing attacker-controlled code in the installer's Node process. Before doing any of this, it installs no-op handlers for uncaughtException , unhandledRejection , and warning and wraps the flow in try/catch with process.exit(0) paths so failures are silently swallowed and never reach host application logs or telemetry. None of this network, child-process, or self-respawn behavior is disclosed in the README, and none of it is consistent with the package's stated pubsub purpose. Any project that imports this package — directly, transitively, or in a forked worker — fetches and executes attacker-controlled code on the installer's machine.

Source: amazon-inspector (b3d53776853d18aabf967b0f1882eb45f2164feedd600eeccc927f496002f5e4)