@help-forms/application-affnpm

@help-forms/[email protected] ships a heavily obfuscated postinstall script (scripts/postinstall.js, obfuscator.io fingerprints: rotated string array, base64+decodeURIComponent decoder, hex-named identifiers, self-defending wrapper) that runs automatically on npm install. The script ascends from process.cwd() to locate a project root (package.json/.git/node_modules markers), DJB-hashes that path as a per-project cache key under os.tmpdir(), supports a RECON_ONLY env-var mode, and uses a 7-day cache marker so the dropper only fires once per project. It then detects os.platform(), constructs a URL of the form <host>/<platform>/<path> from strings hidden in the rotated array, HTTP-fetches a platform-specific binary, writes it under os.tmpdir(), and spawns it with {detached:true, stdio:'ignore'} followed by .unref(). There is no hash or signature verification, no pinned URL, and no documentation of the fetched binary's purpose. The package itself is a decoy: package.json advertises an Internal HTTP client for the Help-Forms Platform Engineering team and points at non-resolving *.help-forms.io domains, but the tarball only contains README.md, package.json, scripts/, and dist/. dist/index.js does require('../src/index.js') while no src/ directory ships, so any consumer of the advertised createClient/get/post API will hit a require error — but only after the postinstall dropper has already executed. The combination of obfuscation, install-time outbound fetch from a hidden URL, opaque platform-specific binary execution as a detached background process, project-fingerprinting recon, and decoy library shape is the canonical supply-chain dropper pattern.