3pool-sushibar @1.0.0

Summary

This package is a dependency-chain dropper. package.json declares 15 undocumented dependencies in three numbered families (web3chain02032*, rusttool0701*, btc202523*) pinned to ^1.1.1, none of which appear in the README that describes a standalone Go miner. The bundled tranpack.sh proves the campaign: an infinite loop that rewrites package.json's name from a ~500-word crypto/DeFi wordlist and runs npm publish , and the current name 3pool-sushibar is an output of that generator. The package itself is non-functional — the declared main entry index.js does not exist — confirming that its only purpose is to pull in attacker-controlled siblings. Two undocumented 22MB Windows.exe binaries with mismatched hashes further contradict the README's source-only build story. Running npm install 3pool-sushibar fetches 15 attacker-controlled packages whose code is one hop away from inspection here; this is direct installer harm via namespace-abuse plus typosquat lure.

Source: amazon-inspector (5112bb2ea3570e56be6525c48ef026624f46dead693e78333696273c911c6c42)