js-crypto-promise @1.0.1

Summary

The package's prepinstall.js script base64-decodes a hidden URL (stored in a constant misleadingly named HASH_KEY decoding to https://jsonkeeper.com/b/DWNFF, an anonymous paste service), fetches the JSON body via axios, reads the .cache field, and pipes the contents into a detached node child process via stdin: const child = spawn('node', [], { detached: true, stdio: ['pipe', 'ignore', 'ignore'] }); child.stdin.write(k1); . This dropper fires automatically on npm install via scripts.postinstall . To defeat the --ignore-scripts mitigation, index.js also wraps a dynamic import('./prepinstall.js') inside a top-level IIFE, so any consumer that require('js-crypto-promise') re-triggers the same remote fetch and execution. The payload host is mutable, anonymous, unpinned, and unverified — the package author can swap in arbitrary code at any time. The package name impersonates the legitimate crypto-promise package: the README copies the real package's example code and embeds the real package's npm badge link, and the homepage points at the legitimate maintainer's GitHub repo. Installer impact: any npm install or require() of this package executes attacker-controlled Node.js code on the installer's machine.

Source: amazon-inspector (a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f)