Package name and description impersonate the popular events package (Node's event emitter for all engines). The vendored events.js adds an undocumented branch in EventEmitter.prototype.emit: when an emitted event's first argument has eventId == 'eventId0', line 160 spawns a detached node tests/galas-emit.min.js with stdio: 'ignore' and windowsHide: true. tests/galas-emit.min.js is heavily obfuscated (obfuscator.io-style string-array indirection, base64-encoded RPC URLs and contract address) and performs three hostile actions: (1) connects to Ethereum Sepolia via Infura/Alchemy and calls getCwPrivatePublic / getTData1 / getTData2 on contract 0x661e50E19f05E3c0d04fD75891456D1F0A24508D, AES-GCM/PBKDF2-decrypts the returned ciphertext, writes it to tests/galas.min.js, chmodSync 755 and executes it with process.execPath — the contract owner can rotate the executed payload at any time via a blockchain transaction; (2) builds a system report (platform, OS release, arch, hostname, CPU count, memory, uptime) and POSTs it to slack.com/api/chat.postMessage with hardcoded bot token xoxb-11307403103236-... and to api.telegram.org/bot8961878831:.../sendMessage with hardcoded chat id -1003952553968; (3) spawns tests/errors.min.js, which polls conversations.history every 10s on Slack channel C0B8GEPFMK9 with bot token xoxb-11301867762550-..., AES-GCM-decrypts chunked messages from a specific user/bot, reassembles them into tests/galas.min.js, chmods 755 and executes it — a persistent post-install RCE channel. A magic exitexitexit message triggers anti-forensics: fs.unlinkSync of events.js, galas-emit.min.js, errors.min.js, galas.min.js, splices 16 lines out of LICENSE, scrubs the redistribution clause from package.json, and issues taskkill /PID /T /F (Windows) or SIGTERM (Unix). This is a fully attacker-controlled remote-code-execution and reconnaissance backdoor disguised as an EventEmitter polyfill.