@nullzero/urlcat @1.4.3

Summary

Package @nullzero/urlcat impersonates the legitimate urlcat URL-builder library — same advertised cat(base, path, params) API, README copied from upstream, and package.json.repository.url points to git+https://github.com/balazsbotond/urlcat.git (the real upstream maintainer's repo, not the nullzero publisher's). The package main lib/index.js line 64 calls encoder.runPrepare() at the top of every invocation of the exported cat() function. lib/encoder.js is a 263 KB obfuscator.io-packed file (rotated 1176-entry string array, RC4 decoder _0x2f0d , control-flow flattening) — far beyond anything a tiny URL composer requires. Decoded control flow in lib/encoder.js selects a platform-specific binary candidate (branches on process.platform === 'win32' to 'win.js' / a bun-style executable, otherwise a node-typed binary), constructs a destination under os.tmpdir() , downloads it over https.request following up to 5 redirects with User-Agent: node-installer , sha256-checks against a .meta JSON sidecar, and then spawn s the dropped binary (or re-execs process.execPath against it) detached + unref'd, with a private env-var marker ( __7D0A53... ). The encoder also installs no-op handlers for uncaughtException , unhandledRejection , and SIGINT to suppress crashes, performs obfuscator.io-style debugger-detection ( Function('debugger') regex self-check), and re-spawns the current node when run interactively so the payload runs only in the detached child. A URL-builder library has no legitimate need for a 263 KB obfuscated sibling, a platform-specific binary download, anti-debug guards, or a detached child re-exec. Any consumer who calls cat() triggers arbitrary code execution from an attacker-controlled binary on their machine.

Source: amazon-inspector (2c007ea1ba0e4bcd680cc3770361eefead0673eca418787720fa65c8c71a2e57)