@emcd-vue/b2b-pay-form @5.7.4

Summary

@emcd-vue/b2b-pay-form ships an obfuscator.io-encoded scripts/postinstall.js wired as the npm postinstall lifecycle hook. On npm install , the script builds a platform-keyed URL from os.platform() , performs an HTTPS GET of a remote payload, writes it to os.tmpdir() , and spawns it via spawn(process.execPath, [tmpFile], {detached:true}).unref() — a classic install-time dropper that grants the publisher arbitrary remote code execution on every installing host. An environment-variable kill switch and a TTL-gated JSON cache in the user home directory throttle re-execution to evade detection. The package's stated purpose is an 'Internal HTTP client'; fetching and executing remote Node code is unrelated to that purpose. The package metadata is also fabricated dependency-confusion bait: scope @emcd-vue and all referenced domains ( emcd-vue.io , github.emcd-vue.io , jira.emcd-vue.io , docs.emcd-vue.io , npm.emcd-vue.io , telemetry.emcd-vue.io ) are not owned by any public organization, and the README instructs consumers to point npm at https://npm.emcd-vue.io while branding the package as 'Internal package — Platform Engineering Team' — the canonical pattern for targeting orgs whose private internal scope matches @emcd-vue or whose CI lazily resolves unknown scopes from the public registry. The postinstall file itself is heavily obfuscated (string-array + RC4-style decoder, control-flow flattening, self-defending function, 109-entry encoded string table), which has no legitimate purpose for a lifecycle script and is consistent with evasion of review.

Source: amazon-inspector (e45e677cee670117b0ff7dcdf2f04491cfb61385025a178e197ea35924e9410e)