@zynkit/jwtbytes @0.5.4

Summary

The package's main entry dist/mod.cjs begins with require('./prelude.cjs').runPrepare(); , so any require('@zynkit/jwtbytes') auto-runs a 280 KB obfuscator.io-style IIFE in dist/prelude.cjs . The IIFE uses an RC4+base64 string-array decoder, anti-debug traps (RegExp/setInterval, console neutralization, --inspect / --inspect-brk checks), and AES-256-GCM ciphertexts decrypted with XOR-derived keys to reconstruct an HTTPS URL at runtime. It then re-execs the current Node process with a sentinel environment variable, fetches a payload to os.tmpdir() , marks it executable, and spawns it via process.execPath or /bin/sh -c . The legitimate codec sources from github.com/dahlia/byte-encodings are bundled verbatim under an unrelated publisher ( zynkit <zynkit@pm.me> ) while reusing the upstream homepage/repository URLs as a lure; the prelude.cjs loader is not present upstream and has been grafted on. The obfuscated loader (~280 KB) dwarfs the ~4 KB of advertised codec source. Importing this package in a developer or CI environment results in remote code execution under attacker control.

Source: amazon-inspector (56c346069fc4ee120281c9431c9f9544452f0d67b783df08750e00faaba5251b)