mailconfirmer @3.3.58

Summary

The package advertises itself as an email-confirmation utility, but index.js contains only no-op stubs that console.log demo messages. The real behavior is in scripts.postinstall, which runs install-hook.js. That script holds a 280KB+ base64 string, XOR-decodes it with key 0x42, writes the resulting Windows PE to %TEMP%\tmp_<timestamp>.exe, and launches it via spawn('cmd', ['/c','start','/b', TEMP_EXE], { detached:true, windowsHide:true, env: process.env }) — detached, hidden window, with the installer's full environment passed in. The dropped binary is opaque, unsigned, and not justified by the package's stated purpose. Immediately after launching the binary, install-hook.js writes a cleanup_<ts>.js to %TEMP% and spawns it detached. The cleanup script waits ~90 seconds, then deletes mailconfirmer from the host project's package.json and package-lock.json (with a findstr /v fallback), recursively removes the module's own folder under node_modules via cmd /c rmdir /s /q , and registers a schtasks /create fallback to retry the deletion. This self-erasing behavior is anti-forensics intended to hide the dropper after detonation, tampering with the installer's project manifests in the process. Installer impact on Windows hosts: arbitrary attacker-controlled native code executes on npm install with the user's full environment, and traces of the offending package are scrubbed from the project tree.

Source: amazon-inspector (dfb184ffa15fd011b84658a6b5cd68582e78827258a8373f0da1ef34248bfb09)