@weirdorg/config @1.0.3

Summary

@weirdorg/config impersonates the widely-used config (node-config) package, copying its README verbatim including the require('config') usage example. The package's index.js redirects to ./lib/load.js , a ~422 KB file protected with obfuscator.io-style RC4 string-array decoding wrapping a custom VM interpreter. The VM captures the host require , module , exports , __dirname , and __filename into a global context and then evaluates multiple large base64-encoded bytecode payloads (e.g. _0x191ca6=["AcIHAQAEBOjIWW0O8b9jdskw9QJh7xQQCAAF7QEDACYE..."] ). The code also references execArgv , inspector , and SIGUSR1 — debugger-evasion strings with no place in a configuration library. Because lib/load.js is loaded immediately by index.js , opaque attacker-controlled code executes the moment any consumer runs require('@weirdorg/config') . The combination of (a) name confusion against a top-tier registry package, (b) verbatim README copy to mislead installers, (c) replaced entrypoint pointing at a heavily obfuscated VM, and (d) captured host require / module handles plus interpreted bytecode is the canonical malicious-loader shape — the exact network/exec behavior is intentionally hidden behind two layers of obfuscation, but arbitrary code execution in the installer's Node process is implicit in the design.

Source: amazon-inspector (b28e2fe6ac03c8e426aeb69f62bf0b2bd4dfdb06a5acee273bb5967186c5504d)