fhirproxynpm

[email protected] is a thin loader package whose only behavior is to pull and execute the dependency fhirproxy-utils. package.json declares both preinstall and postinstall hooks that run node index.js, and index.js's only meaningful statement is require('fhirproxy-utils'). That dependency is fetched from npm at install time and its top-level code runs on the installer's machine during npm install without further user interaction. The package additionally claims a bin map that aliases the names of widely used developer tools — webpack, webpackcli, vite, eslint, jest, tsc, tsnode, prettier, next, nodemon, turbo — all pointing at the same index.js. Once installed, node_modules/.bin/<tool> resolves to this package, so any subsequent invocation of those commands in the project (CI builds, local dev scripts) re-executes index.js and re-loads fhirproxy-utils instead of the genuine tool. The package presents itself as OpenMRS REST tooling (author: "OpenMRS Community Contributor", version 90.0.0, 351-byte stub printing [+] OpenMRS REST Utilities Subsystem Initialized.), but real OpenMRS packages are scoped under @openmrs/* and published by named maintainers — this is impersonation, not a real OpenMRS project. The combination of impersonation metadata, lifecycle-hook execution of an opaque dependency, and bin-hijacking of common dev tooling forces installer-side execution of attacker-controlled code at install time and on every subsequent invocation of any hijacked tool name.