date-uuid @1.0.1

Summary

Package advertised as a UUIDv7 helper, but on require()/import it auto-invokes extractDateISO() in bootstrap.js, which reads README.md from process.cwd(), extracts two specific lines (120 and 123), and base64-decodes them after prepending 'aH' and inserting 'Rz' to reconstruct an 'http...' URL (the prefix 'aHR0c' decodes to 'http'). The reconstructed URL is fetched, written to os.tmpdir() as temp_<timestamp>.vbs (the '.vbs' extension is split as 'v'+'b'+'s' to evade grep), and executed via child_process.exec. The behavior is unrelated to the advertised UUID functionality. Sourcing the payload URL from the caller's README rather than the package source decouples the attacker-controlled destination from the published artifact and enables staged/deniable deployment: a chained attack or a future README edit can change what gets executed without republishing the package. Obfuscation devices (string-splitting the script extension, base64 framing of the URL prefix) co-located with the fetch-and-exec path indicate deliberate evasion intent.

Source: amazon-inspector (58dffbe61370f78deed5bacbc8f6bc46a8a989f03da218643a41b52ed025fa6a)