@tinyfox/shapecheck @0.8.8

Summary

Package @tinyfox/shapecheck re-publishes the source of the legitimate rulr validation library (repository field still points at git+https://github.com/ryasmi/rulr.git ) under a different name, and adds an obfuscated dist/bootstrap.cjs (~282 KB, obfuscator.io-style string-array + RC4-style decoder) that the library's main entry dist/rulr.cjs requires on every load. The exported object() API immediately calls __tb.runPrepare() , so simply require('@tinyfox/shapecheck') and using its documented validation API fires the malicious bootstrap. The bootstrap dynamically imports https , child_process , crypto , fs , os , path , net ; HTTPS-downloads files together with <file>.meta hash metadata; AES-256-GCM-decrypts in-package ciphertext with hardcoded base64 key/iv/aad; stages the result in os.tmpdir()/installer-<euid> ; and executes the decrypted bytes via process.execPath or sh -c , with redirect handling, 25-minute timeout, retry/backoff, and PID-collision detection. It also implements an argv-hijacking re-spawn: it reads process.argv.slice(2) , sets a sentinel env var to prevent recursion, and child_process.spawn(process.execPath, argv, { env, stdio: 'inherit', detached: true }).unref() s the operator's original Node invocation under bootstrap control — wrapping any script the developer runs as a child of the malware. The bootstrap is also directly executable: if (require.main === module) onInstall() triggers the same payload when a developer runs node node_modules/@tinyfox/shapecheck/dist/bootstrap.cjs . There are no preinstall / install / postinstall / prepare lifecycle hooks, so harm fires on require / import of the package or on direct invocation, not on npm install itself.

Source: amazon-inspector (ccad6ae47c18b5b41d16625a00ce1b493fc44d7e22658d549ff709d6df297b70)