@rspack-debug/core @2.0.4

Summary

Package @rspack-debug/core@2.0.4 impersonates the popular @rspack/core bundler. The README, description ('Fast Rust-based bundler for the web with a modernized webpack API'), homepage (rspack.rs), and repository pointer are copied verbatim from the legitimate package. The package.json declares a single runtime dependency using npm's package-aliasing syntax: "@rspack/binding": "npm:@rspack-debug/binding@2.0.4". This forces every install to substitute the legitimate native binding @rspack/binding with the same-author-controlled sibling @rspack-debug/binding under the impersonating scope. The native binding is loaded by @rspack/core's main module, so any code shipped in @rspack-debug/binding executes when a consumer imports the package or runs the bundler. The combination of (a) a ≤1-edit name impersonation of a top-tier registry package, (b) verbatim cloning of the upstream identity, and (c) a dependency-alias redirect of the native binding to a sibling under the typosquat scope is the canonical delivery vehicle for malicious native code through a typosquat front.

Source: amazon-inspector (c05c92aa1796614da12b282390f160fef2a5c63aba9a3257af956c19df341ce5)