Requiring web-pool triggers middleware() to spawn a detached node lib/initializeCaller.js. That script base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire process.env (CI tokens, npm tokens, AWS_*, GITHUB_TOKEN, arbitrary secrets) to it, and executes the HTTP response body via new Function('require', response.data)(require) — granting the attacker arbitrary code execution under the installer's Node process. The C2 URL is hidden behind base64 inside a fake local process object that shadows Node's real process, an obfuscation pattern designed to defeat static URL scanning. The README masquerades as the pino logger (titled web-corn, badges and links point to npm pino and pinojs/pino), making this a typosquat lure with a malware loader as its only real behavior.