@merceas/cross-fetchnpm

Package is published under the @merceas scope as cross-fetch and reuses the upstream cross-fetch README, homepage (github.com/lquixada/cross-fetch), and author metadata to impersonate the legitimate cross-fetch package. The package main, dist/node-ponyfill.js, contains decoy ponyfill code followed by two obfuscator.io-packed IIFEs that run when the module is require()d. The IIFEs dynamically import fs/os/path/https/http/crypto/url/child_process, AES-256-decrypt a URL constructed at runtime from four 32-byte hex Buffers, HTTPS-GET the payload (handling 301/302/303/307/308 redirects with exponential-backoff retries), write it under os.tmpdir()/<name>-<pid>/, chmod the file to 0755 (chmodSync(file, 0o1ed)), then execute it via bash -c <file> and additionally spawn a detached, unref()'d child with stdio:'ignore' and windowsHide:true for self-respawn / persistence. Obfuscation uses a string-array with numeric-IIFE shift, RC4-keyed base64 lookup, and an anti-tamper RegExp debugger self-test to hide the URL and command strings from static inspection. Importing this package — directly or as a transitive — executes attacker-controlled bytes on the installer's machine in any environment that loads the module (CI, build, production, developer workstation).