Package name 'easy-day-js' impersonates the popular 'dayjs' library, copying dayjs's author ('iamkun'), homepage (https://day.js.org), repository URL, description, and version number (1.11.22 is a real dayjs release), and bundles dayjs.min.js as main to look legitimate. package.json adds a postinstall hook 'node setup.cjs --no-warnings' that does not exist in real dayjs. setup.cjs is heavily obfuscated with an obfuscator.io-style rotated base64 string array (a0_0x23bf) and decoder (a0_0x1a24) hiding API names ('node:child_process', 'node:fs', 'node:crypto', 'spawn', 'writeFileSync'). At install time it sets NODE_TLS_REJECT_UNAUTHORIZED='0' to disable TLS verification, writes the install directory path to os.tmpdir()/.pkg_history and an encoded buffer to os.tmpdir()/.pkg_logs (staging metadata for the second stage), fetches a JavaScript payload from https://23.254.164.92:8000/update/49890878, writes it to a random hex-named file in os.tmpdir(), spawns it detached with the installer's node interpreter (process.execPath, stdio:'ignore', unref()), and then unlinks setup.cjs to cover its tracks. Classic install-time remote-code-execution dropper combined with brand impersonation of dayjs.