@frostnode/waitfor @0.10.6

Summary

Package is published under scope @frostnode but its package.json homepage and repository point at https://github.com/mmustra/rxjs-poll — the legitimate rxjs-poll library by a different maintainer. The library source in dist/cjs/index.js is a near-verbatim copy of mmustra/rxjs-poll with one injected line: var _trapHook = require('./tickinit.cjs') at the top, and _trapHook.runPrepare() invoked from inside the package's only documented export, poll(config) (dist/cjs/index.js:204). dist/cjs/tickinit.cjs is a ~259KB obfuscator.io-protected blob (string-array shuffling, RC4-decoded property names, control-flow flattening, runtime Function(...) construction). It carries hardcoded base64 ciphertext that is decrypted at runtime via crypto.createDecipheriv('aes-256-gcm', …) to recover a C2 URL, then re-launches the user's node binary under an env-var sentinel, dynamically requires child_process/fs/os/https/crypto, downloads attacker-controlled bytes to os.tmpdir() , writes a .lock JSON with sha256, and spawns the downloaded file via child_process.spawn(process.execPath, [tmpfile], {detached:true}).unref() . tickinit.cjs additionally exports onInstall = () => runPrepare() and ends with if (require.main === module) onInstall(); , providing extra trigger surfaces (direct node tickinit.cjs invocation, or a future postinstall hook) for the same dropper. Any consumer who imports @frostnode/waitfor and calls poll() — the documented and sole API — gets remote-code execution on their machine with no consent, no version pinning, and no signature verification of the downloaded payload. The AES-GCM-wrapped destination, repackaging of an unrelated maintainer's library under a new scope, and multiple redundant trigger paths are the canonical malicious-dropper fingerprint.

Source: amazon-inspector (c332f4386c51821f983068e5df440f4fbc53c88d6ecc561ca41a8a444d3df998)