typedecode @1.0.3

Summary

On require('typedecode') / import 'typedecode' , the bundled dist/index.cjs and dist/index.js execute an obfuscated import-time payload. A bootstrap.js IIFE exposes require and module on global , deobfuscates two large strings through a custom permutation ( YWG ), constructs a function via the Function constructor ( AQq(erE, YWG(fvm)) ), invokes it on a second decoded payload to produce XZs , then calls XZs(7942) and brands global._V = 'A6-Shadow-15' . The deliberate placement of require / module on globals before the IIFE allows the decoded code to dynamically load arbitrary Node modules (fs, http, child_process, etc.) without any static reference. The package's API surface and inline comments are copied verbatim from the legitimate decoders package by nvie (including the email-regex comment and the pojo detection comment), and the README API ( object , array , optional , string , number , email , url , uuid , decode / verify / value , formatInline , formatShort ) duplicates that library — an impersonation lure to drive installs of the hidden loader. Author is the placeholder-style chavanetsanastasia-netizen .

Source: amazon-inspector (593662d3b4cda901642b713f419417807a33f3dca74e818f66e8d0cf9ebcf6e3)