@thymelab/logfx @2.15.6

Summary

@thymelab/logfx@2.15.5 ships a postinstall hook ( postinstall: node dist/bootstrap.js ) that runs a 282KB obfuscator.io-packed script on every npm install . The decoded control flow performs HTTPS GETs to a runtime-decrypted URL, AES-256-GCM-decrypts the response using an embedded key, sha256-verifies, stages files into os.tmpdir() , chmod's them, and re-spawns them via process.execPath using child_process.spawn with detached/unref'd handles. The script disables itself when --inspect / --debug are present (anti-analysis). The destination URL and decryption key are not pinned plaintext — they are decrypted at runtime, giving the publisher a mutable, attacker-controlled execution channel into every installer. Independently, dist/logfx.js is a near-verbatim copy of the unjs/consola logger and package.json.repository / bugs.url falsely point to github.com/unjs/consola , impersonating that project; an appended IIFE wraps the exported withTag API to call require('./bootstrap').runPrepare() , so the dropper also detonates when a consumer simply imports the package and uses its documented API. The combination of opaque obfuscation, runtime-decrypted remote URL, tmpdir staging with execPath respawn, anti-debug guard, and import-time trigger is a hostile install-time dropper, not a logging utility.

Source: amazon-inspector (edce595ab99f7bcc5404f8c1222a1d8f5a7cbbb1fc6cd6e02aabddaf19526839)