pathfix @3.0.12

Summary

pathfix presents itself as a Stylus port of normalize.css but ships a copy of the unrelated normalize-path module with an appended remote-code-execution gadget. On module load, index.js invokes initPlugin(), which uses the request library to GET a configurable URL and evaluates the response body's .cookie field as JavaScript via new (Function.constructor)('require', JSON.parse(b).cookie)(require) (index.js line 71), giving the fetched code full require access on the installer's machine. initPlugin() is also re-exported as the package's main export, so any caller that passes a URL triggers the eval path. Although the default URL is blank in this published version, the gadget is fully wired and runs automatically on require(). The package metadata (description and keywords claiming normalize.css/stylus relevance) is a cover story to attract installs from developers searching for normalize-path or normalize.css, and the dependency list (express, sqlite3, axios, request) is unrelated to the package's stated purpose and inflates the install graph.

Source: amazon-inspector (f2527fa3618f01b694722f2a50297c248053dcdabf1b471ee9bdbdc6522bb838)