pkg-fallback @1.1.0

Summary

Package advertises itself as a small string-manipulation library (trim, case, pad, wrap) but its install-time behavior is a dropper. package.json declares a direct dependency native-bridge as http://157.254.194.200:8080/native-bridge-1.0.0.tar.gz — a plain-HTTP tarball on a bare IP unrelated to any publisher. On npm install , npm fetches that arbitrary tarball and installs it into the consumer's node_modules tree, running its own lifecycle scripts. Additionally, the declared postinstall script ( scripts/check-binary.js ) downloads a second tarball, npm-dependency-payload-1.0.0.tar.gz , over plain HTTP from the same bare IP and writes it to .cache/native.tgz with errors silently swallowed. Neither fetch is pinned, hash-verified, or sourced from publisher infrastructure, and the shipped tarball contains no native source code that would justify a native-bridge dependency. The string-utility cover story is inconsistent with the install-time behavior, which is the deliberate-evasion shape of a supply-chain dropper.

Source: amazon-inspector (c97ea590e70f499f40938e093cd6a09a13b95030872968b5d325fee8a595f31c)