@bytemend/mfebusnpm

The package advertises itself as a small in-memory pubsub library but its main entry dist/index.js eagerly require()s dist/bootstrap.js, a 277KB obfuscator.io-protected blob (string-array rotation, control-flow flattening, RC4 string decoder, self-defending wrappers) whose decoded behavior is a remote-code dropper. On require — and automatically when the module is loaded inside a forked Node child via maybeInstallAutoIpc()/addIpcTarget(process) — the bootstrap: (1) re-spawns process.execPath detached with the original argv and an env-var sentinel as an anti-analysis re-entry guard (child_process.spawn(process.execPath, process.argv.slice(1), { detached:true, windowsHide:true, stdio:'ignore' }) followed by unref()); (2) opens an HTTPS request to a destination resolved from RC4-decrypted strings, follows redirects, and writes the response under os.homedir()/.cache/<dir>/; (3) verifies a SHA-256 against a sidecar metadata file and then require()s the downloaded payload, executing attacker-controlled code in the installer's Node process. Before doing any of this, it installs no-op handlers for uncaughtException, unhandledRejection, and warning and wraps the flow in try/catch with process.exit(0) paths so failures are silently swallowed and never reach host application logs or telemetry. None of this network, child-process, or self-respawn behavior is disclosed in the README, and none of it is consistent with the package's stated pubsub purpose. Any project that imports this package — directly, transitively, or in a forked worker — fetches and executes attacker-controlled code on the installer's machine.