On module load, the package's initPlugin() function performs an HTTP GET to https://www.jsonkeeper.com/b/OTOAQ (an anonymous public JSON-paste host) and passes the response body's .data field to new Function.constructor('require',...)(require), executing attacker-controlled JavaScript with full Node require access on the developer/build machine. The ESM entry invokes initPlugin() at top level; the CJS entry spawns a worker_threads Worker on __filename so the same fetch-and-exec runs in the worker. Evidence is in dist/index.cjs lines 148-156. The package name vite-plugin-compress-js mimics the legitimate vite-plugin-compress / vite-plugin-compression packages and copies their description (Use gzip or brotli to compress resources.) and surface API (gzip/brotli on closeBundle) as cover for the dropper. Runtime dependencies (express, request, sqlite3) are inconsistent with a compression plugin; request is the transport used by the dropper. Any project that adds this plugin to its Vite config triggers remote code execution at build time.