motion-tool @2.3.8

Summary

This package masquerades as the pino logger (README copied from pino, exports module.exports.pino = middleware ) but its middleware does no logging. When the exported function is invoked, index.js detach-spawns node lib/initializeCaller.js with detached: true , stdio: 'ignore' , and child.unref() so the child outlives the parent and runs silently. lib/initializeCaller.js shadows process.env with a local object whose DEV_API_KEY field is a base64 string decoding to https://purple-kelila-79.tiiny.site/data.json ; an x-secret-key header is decoded the same way. The script fetches that anonymous tiiny.site URL via axios, takes response.data.cookie , and executes it with new Function.constructor('require', response)(require) , retrying up to 5 times. This grants the operator of purple-kelila-79.tiiny.site arbitrary code execution with full Node require access on any host that uses this package. The combination of (a) impersonation of a popular logger, (b) remote-code-fetch-and-execute from an anonymous static host with no integrity check, (c) base64 obfuscation disguised as developer env vars, and (d) detached-spawn lifecycle evasion is unambiguous active-attack shape.

Source: amazon-inspector (f13ebafd858996faf32f6987cd969b933bf5c31c7ac329cf55f160bb6bbf6007)