vitest-pro @7.0.6

Summary

Package vitest-pro is a namespace-abuse lure: its name suggests a vitest extension, but its source tree, README, and main entry ( lib/nodemailer.js ) are a verbatim copy of nodemailer with the name string rewritten. package.json declares "postinstall": "node lib/utils/index.js" , which on npm install spawns lib/utils/smtp-connection/index.js as a detached child process ( spawn(process.execPath, [filePath], {detached:true, stdio:['ignore','ignore','ignore']}) ). That file is heavily obfuscated with two stacked layers (a custom base-91-style decoder populating a string cache, plus an obfuscator.io string-array with _0x... identifiers); once decoded it loads axios and child_process , polls a hardcoded C2 at 74.0.48.37:4556 and 74.0.48.37:4558 , downloads a ZIP, extracts it via tar / Expand-Archive / unzip , and executes the dropped binary. It then establishes cross-platform persistence: on Windows it writes to HKCU\Software\Microsoft\Windows\CurrentVersion\Run via reg.exe add , registers a schtasks /create... /sc ONLOGON task, and drops a startup .cmd under %APPDATA%\...\Startup ; on macOS it writes a LaunchAgent plist under ~/Library/LaunchAgents and runs launchctl load . Any developer or CI system running npm install vitest-pro is compromised at install time and re-compromised on every reboot.

Source: amazon-inspector (39810890a1ffc946b3da439738fb619eab1613a775a308d6f248b80b38ce5603)