bubblestr @1.1.4

Summary

package.json declares "postinstall": "node index.js" , and index.js is a heavily obfuscated single-file script (RC4+base64 string-array with rotating shift and two decoder wrappers). After deobfuscation, the postinstall body performs an HTTP GET to a built URL, writes the response body to a file under os.tmpdir() using fs.writeFileSync(..., {flag:'w+'}) , and immediately executes the dropped file via child_process.exec(path, {windowsHide:true, cwd: process.cwd()}) . This fires automatically on npm install with no user interaction and lands attacker-controlled bytes on the installer's machine. Author and description fields are empty, the obfuscation has no legitimate justification for a 'utility' package, and the README contradicts the published name by instructing users to install/require @array-util/subsearch — a name-confusion lure designed to harvest installs while hiding under a different documented identity. The combination of install-time remote fetch-and-exec, obfuscation intent to evade scanners, and identity mismatch is a textbook supply-chain dropper.

Source: amazon-inspector (7831cb93037b6f364e2174f6d4fb64b38bac958e54f3653b8a70810681972172)