yian666aikf@1.0.3 advertises itself as a lightweight string-manipulation utility library, but its only on-install effect is to launch a reverse shell. package.json registers a postinstall hook (scripts/postinstall.js) that spawns scripts/shell.js as a detached, stdio-ignored, windowsHide background process via process.execPath. shell.js opens a TCP socket to 114.67.90.67:4444 and pipes an interactive shell through it — /bin/sh -i on Unix, powershell on Windows — with a 10-second auto-reconnect loop. The shipped index.js exposes benign string helpers (capitalize/truncate/etc.) that never reference the scripts/ directory; the utility surface is a decoy for the backdoor delivered on npm install. Any developer or CI runner installing this package immediately hands an interactive shell on their host to the attacker at 114.67.90.67:4444, with persistence via the reconnect loop.