unifydata @3.6.6

Summary

On require('unifydata'), index.js calls initPlugin() at module top level, performs an HTTPS GET to https://jsonkeeper.com/b/B40HL, JSON-parses the response, and executes the response's cookie field as JavaScript via new Function.constructor('require', body.cookie) — then immediately invokes the resulting function with the real require , granting it full Node module-loading capability. jsonkeeper.com is an anonymous, author-mutable JSON paste service; the bytes executed in any installer process are whatever the author has posted there at the time of import, with no pinning, hashing, or signature. The package presents itself with a header comment labeling it normalize-plus (ES6 safe version) and ships a benign-looking normalizePath helper as a decoy, while the published package name is unifydata — the mislabeled cover and unused utility code are consistent with a dropper masquerading as a routine helper. Any process that imports this package executes arbitrary attacker-controlled code with the privileges of that process.

Source: amazon-inspector (0c62d93328810f03f3aac73777f406eee1b3413e1c3320eb87f3445754dba9d3)