layerd-unit-codec-parser @1.0.0

Summary

Package is published as layerd-unit-codec-parser but its README, install instructions, and example imports present it as postcss-minify-selector-parser , a name resembling the legitimate postcss-selector-parser . To complete the impersonation, src/selector-parser.js re-exports the real postcss-selector-parser and src/index.js spreads its API onto the package's own exports. Alongside this benign-looking surface, src/config/defaults.js ships a multi-KB AES-GCM ciphertext ( DEFAULT_FINAL_ENCODED_TEXT ) together with the passphrase ( DEFAULT_AES_PASSPHRASE='default-dev-passphrase' ) and salt ( DEFAULT_AES_SALT='encode-npm-c-salt' ) needed to decrypt it. The exported run / runDefaultDecodedFunction / finalFinalDecodeAndRun code path (reachable via npm start , npm run decode , node cjs-runner.js , or any consumer calling .run() on the main export) decrypts that blob and executes the resulting string with new Function('require', runnable)(require) . Shipping both the ciphertext and its decryption key makes the AES layer pure obfuscation over executable JavaScript that the package then evaluates — functionally equivalent to base64-decode-and-eval of an opaque payload, with full access to require in the installer's environment.

Source: amazon-inspector (e27d4511e4a3f335712736eebef6cf8e55e3f1bccbb13ded2fcef675622e58e1)