random-string-64 @1.0.1

Summary

The package advertises itself as a 5-line random-string generator, but index.js (the declared main) contains a hardcoded AES-256-CBC ciphertext blob that is decrypted with a sha256-derived key and passed to globalThis.eval . The eval identifier is hidden by storing the strings ['error','vertex','length','delta','alphabetic'] and reconstructing the function name from the first letter of each entry ('e','v','a','l'). Execution is gated by node-env-detector checks (isCI / isNpmBot / isContainer / isVirtualMachineLikely): on automated/sandboxed hosts the package only logs a benign message, while on real developer workstations the decrypted JavaScript is executed when the exported getUniqueID(64) function is called. Any consumer that imports random-string-64 and invokes its documented API on a developer machine runs attacker-controlled code with the privileges of the calling process. The combination of opaque encrypted payload, eval-identifier obfuscation, and explicit anti-analysis gating is unambiguous supply-chain attack shape.

Source: amazon-inspector (9fea72321e7eb57feb094bc31de2393ec2a56903156e1257a062e40541785b96)