btd-smart @1.0.3

Summary

The package presents itself as a clone of juliangruber/balanced-match (stolen author identity 'Julian Gruber <mail@juliangruber.com>', verbatim README, identical API renamed btdSmart, placeholder homepage 'github.com/your-org/btd-smart'). Appended to the legitimate code in index.js is an obfuscated block that runs unconditionally when the module is required. A custom string-shuffle decoder reconstructs the identifier 'constructor' (and other strings) without any literal occurrences in the file, retrieves the Function constructor from a string prototype, builds a function from a decoded source body, and invokes it. Before invocation, the code stashes require and module onto global under decoder-produced keys so the Function-built code — which otherwise has no closure scope — gains filesystem, network, and process capabilities. The payload body is opaque (deterministic numerical shuffle with 0x7F-based escape tricks across two nested decoders), executes on every require('btd-smart') , and the legitimate balanced-match code above it has no obfuscation, confirming the appended block is purposefully hidden. Combined signals — typosquat with stolen identity, custom obfuscator, dynamic Function eval of a decoded blob at module load, deliberate global-smuggling of require/module — match the documented active-attack shape; no legitimate brace-matching utility needs any of these mechanisms.

Source: amazon-inspector (3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199)