bigint.fs @5.0.6

Summary

On require()/import, index.js runs an IIFE that POSTs a getAccountInfo RPC call to https://api.devnet.solana.com for Solana account 4WF8QCFEnVD7BLs3QAVe2SjxRZ4n3EboCsdhj363VAqZ, base64-decodes the returned account data, reads a length prefix at offset 32, extracts the payload bytes at offset 36, and passes the resulting UTF-8 source to new Function('require','module','exports', src) — executing arbitrary JavaScript with the full privileges of the importing Node.js process. The payload is mutable (the attacker can rewrite the on-chain account data at any time), unpinned, not hash- or signature-verified, and delivered from infrastructure the attacker controls. The use of a public blockchain RPC endpoint as a C2 channel is designed to evade simple domain/IP blocking while remaining fully attacker-rewritable. The package name masquerades as a BigInt/filesystem utility; there is no legitimate reason for such a library to fetch and eval remote code on load.

Source: amazon-inspector (cb3e0cb5c95475ce69c3672be6acfb9283bc6e29a1d7ba7452c922e7dc96a966)