zenith-utils @12.0.15

Summary

Package name is zenith-utils but the tarball is a verbatim copy of the nodemailer source tree (lib/nodemailer.js as main, lib/smtp-transport, lib/ses-transport, lib/dkim, lib/mail-composer, etc.; package.json author set to nodemailer's real maintainer 'Andris Reinman'). package.json declares postinstall: node lib/utils/index.js , which uses spawn with detached: true , stdio: ['ignore','ignore','ignore'] , and child.unref() to launch lib/utils/smtp-connection/index.js as a hidden background process that survives the npm install command. That process forks lib/utils/smtp-connection/worker.js, which polls https://jsonkeeper.com/b/WDH3V in an infinite loop and executes the returned cookie field via new Function('require', r.data.cookie)(require) . jsonkeeper.com is an anonymous, mutable paste host — the author can change the served payload at any time, granting arbitrary Node-privileged code execution on every machine that has installed the package. The detached/unref'd spawn is deliberately designed to hide the activity from npm's lifecycle logs while the eval loop runs persistently in the background.

Source: amazon-inspector (c29676376a28531b186e09fbf7e2d3a0697943ece764e0604ebbdd4b734ae094)