@emcd-vue/auth @6.4.5

Summary

@emcd-vue/auth@6.4.5 is a hollow shell package whose only functional content is a malicious postinstall script. package.json advertises this as an 'Internal @wildberries/service-router package' (a dependency-confusion lure targeting builds that expect an internal @wildberries/* mirror), but dist/index.js is a one-line re-export module.exports = require('../src/index.js') pointing at a path that does not exist in the tarball — the package provides no library functionality. scripts/postinstall.js is heavily obfuscated using an obfuscator.io-style shuffled string array with RC4 + base64 decoders and hex-encoded property accesses; critical strings (host, URL path, secret header) are assembled only at runtime via atob(...)+atob(...) concatenation to evade static inspection. On npm install the script issues an HTTPS GET with a custom X-Secret header to the runtime-assembled URL, writes the response buffer to a randomly-named.js file under os.tmpdir() , and spawns it with process.execPath (Node) detached, stdio:'ignore' , windowsHide:true , then .unref() s the child so it survives the installer. Host-identifying data is exfiltrated as part of the fetch (hostname-keyed string selection via os.hostname() , CWD walk-up via process.cwd() , Node version check), and the spawned child receives the installer's full process.env plus additional atob-decoded secret values, handing any environment-resident credentials to the attacker-controlled payload.

Source: amazon-inspector (f8bc285b34b9a2e8abc8e2a86a7a0c8738823d504bbc7e30a4e56b1ec9810162)