runtimekit @1.0.5

Summary

lib/index.cjs and lib/index.mjs (re-required from lib/readonly.cjs) contain a self-executing IIFE that decodes two opaque strings via a custom shuffle routine ( YWG ), recovers the identifier constructor from one of them, retrieves the Function constructor via property access, then builds and invokes nested Function-constructor calls — Function('', Function('', decoded1))(decoded2)(7942) — executing arbitrary decoded JavaScript at module load. Before the synthesis, the loader assigns global.r = require and global.m = module , deliberately smuggling Node's require and module bindings into the global scope so the dynamically constructed function (which does not inherit the module's closure) can reach them. A marker global._V = "A6-Shadow-16" is also set. The package advertises itself as a validation/runtime utility but ships an obfuscated self-injecting loader with no legitimate purpose for hiding code from Function constructors. Any consumer that does require('runtimekit') or require('runtimekit/readonly') runs the decoded payload in-process with full Node privileges.

Source: amazon-inspector (ffa393dec171ebd22b63776d7550006d3f9f60ad8726ce1153784080e9038acd)