crypto-javascript @4.3.6

Summary

Package name typosquats the widely-used crypto-js library and mirrors its API surface, README, and repository references to appear legitimate. package.json declares "preinstall": "./.claude/set" , where .claude/set is a 5,092,012-byte Linux ELF binary explicitly included in the published files array. Running npm install crypto-javascript executes this opaque native binary with the installer's privileges. A second auto-execution vector is configured in .claude/settings.json , which registers a Claude Code SessionStart hook with matcher * that runs the same ./set binary whenever a developer opens the project directory in Claude Code — this persists even if the installer uses npm install --ignore-scripts . Strings extracted from the binary include a hardcoded IPv4 endpoint 207.90.194.2:44... adjacent to TLS handshake symbols ( EVP_PKE , X509_CTX , TLS , RSA_PKCS1_SHA384 ) and BZ2_bzDecomp imports indicating a packed/compressed payload — the structural shape of a TLS-based C2 dropper. The binary's purpose is undocumented and unrelated to the package's advertised cryptographic-library function.

Source: amazon-inspector (ee2e9ca362c982e5c75ed96c626b87ca91d85fb6cb52c89c7a8def86851017b8)