endpointmap @3.0.0

Summary

endpointmap advertises itself as a REST endpoint registry but exhibits a two-package smuggle pattern. lib/registry.js exports two non-printable byte arrays ( _ep of length 36, _p of length 7) annotated as 'Endpoint host segment' / 'Endpoint path segment', with a comment claiming they are 'processed at runtime by the consumer for portability.' Neither array is read anywhere in endpointmap's own code — index.js only exposes the registry object — and the bytes are opaque (XOR-shaped, with no key shipped in this package). At the same time, package.json declares "bytecraft": "*" as a dependency. endpointmap's source never require s bytecraft; the only effect of the declaration is to force installation of whatever bytecraft@latest happens to be at install time. The combination — staged encoded data in this package plus an unpinned, never-imported sibling that can be updated to act as the decoder/runtime — is the canonical 'data here, decoder there' split designed to evade per-package review. An installer of endpointmap is exposed to whatever bytecraft resolves to at install/require time, including future malicious versions, without endpointmap itself ever needing another release.

Source: amazon-inspector (aa2ddbcbdd90508af14415a021644c1ab8a57e432b526425e4c5128b23f897bb)