Package impersonates the webpack ecosystem but is unrelated to webpack. When the exported middleware is invoked, index.js spawns a detached node lib/caller.js child. caller.js fetches https://jsonkeeper.com/b/XRGF3 via axios and passes the response's .cookie field to new Function.constructor('require', s)(require), executing attacker-controlled JavaScript with full Node privileges and a retry loop. The C2 URL and HTTP header name/value are stored as base64 strings under sham process.env keys (DEV_API_KEY base64-decodes to https://jsonkeeper.com/b/XRGF3); a sibling const.js variant points at https://jsonkeeper.com/b/4NAKK, providing pivot URLs if the primary paste is removed. jsonkeeper.com is an anonymous mutable paste host — whoever controls the paste controls arbitrary code execution on every consumer that loads webpack-patch and exercises its API. The package.json description is generic boilerplate copied from an unrelated security policy, and the main is a fake pino-style middleware whose only meaningful effect is launching the dropper.