@merceas/cross-fetch @3.1.12

Summary

Package is published under the @merceas scope as cross-fetch and reuses the upstream cross-fetch README, homepage (github.com/lquixada/cross-fetch), and author metadata to impersonate the legitimate cross-fetch package. The package main , dist/node-ponyfill.js, contains decoy ponyfill code followed by two obfuscator.io-packed IIFEs that run when the module is require() d. The IIFEs dynamically import fs/os/path/https/http/crypto/url/child_process, AES-256-decrypt a URL constructed at runtime from four 32-byte hex Buffers, HTTPS-GET the payload (handling 301/302/303/307/308 redirects with exponential-backoff retries), write it under os.tmpdir()/<name>-<pid>/ , chmod the file to 0755 ( chmodSync(file, 0o1ed) ), then execute it via bash -c <file> and additionally spawn a detached, unref() 'd child with stdio:'ignore' and windowsHide:true for self-respawn / persistence. Obfuscation uses a string-array with numeric-IIFE shift, RC4-keyed base64 lookup, and an anti-tamper RegExp debugger self-test to hide the URL and command strings from static inspection. Importing this package — directly or as a transitive — executes attacker-controlled bytes on the installer's machine in any environment that loads the module (CI, build, production, developer workstation).

Source: amazon-inspector (5f6307129b7d9edcbd76ffc93c9d8a6ae146332951d5ce90e659afe1eec01127)