logger-draft @3.2.2

Summary

logger-draft@3.2.1 advertises itself as a terminal-color logger but ships a heavily obfuscated postinstall dropper (utils.cjs, 252 KB, obfuscator.io-style string-array + RC4 + self-defending wrappers) wired into package.json as "postinstall": "node utils.cjs" . On install the script RC4-decodes a hidden BINARY_BASE_URL and HF_TOKEN, selects a platform-specific filename (linux-x64/arm64, darwin-arm64, win32-x64), HTTPS-GETs the binary with an Authorization: Bearer <token> header, writes it under the user's data directory with mode 0o755, and detached-spawns it. No hash or signature verification is performed, and the bearer-token gate means the source bytes are unauditable from the published package — the author can swap the payload server-side at any time. After dropping the binary the script installs cross-platform boot persistence: on Windows it creates a schtasks /SC ONLOGON task and an HKCU\...\CurrentVersion\Run value pointing at a generated.vbs shim that re-spawns the binary hidden; on Linux it writes ~/.config/systemd/user/<unit>.service and runs systemctl --user daemon-reload && enable --now , plus an autostart entry; on macOS it launches the binary detached from a writable directory. Supporting deception signals: the README is titled terminal-logger-utils and instructs npm install terminal-logger-utils (mismatched name), publisher metadata is a bare handle with no repository/homepage/license, and the README claims 'Zero runtime dependencies' while package.json declares nine. Installer harm fires automatically on npm install in any developer or CI environment.

Source: amazon-inspector (0862a27a4fcbb3fc546fed447371d22dfcabb46e2d6a163754d30ec300fdceb7)