dot-utils-plus @0.1.9

Summary

On every import, dist/index.js base64-decodes a hardcoded AES-256-CBC ciphertext, derives a key from environment variable VITE_DOT_UTILS_AES_SECRET, decrypts the result into JavaScript source, wraps it in a Blob/data URL, and dynamically import() s it. The decrypted code is opaque to consumers and to static review; whoever holds the AES secret can ship arbitrary JavaScript to every downstream application that loads this library. This is a backdoor/remote-code-execution surface delivered through a library's normal import path. In addition, the same bundle monkey-patches the global EventTarget.prototype.addEventListener at import time. For every click listener registered after the patch, on dates after 2026-06-10 and when running outside development, the wrapper has a 5% chance of busy-waiting 5000ms on the main thread — a date-gated logic bomb that silently degrades any web app loading the package. None of this behavior is documented in the README or the declared API, and package.json carries placeholder author metadata ( "Your Name" ) with a self-described "encrypted distribution build" as the only shipped artifact.

Source: amazon-inspector (3091b9bb8cbf714d9391a59f7303a3748e183bbdf0fba2264b7496a2072e717f)