On npm install, the package runs a postinstall hook (node -e "require('./loader.js')") that spawns a detached child process. The child decodes an obfuscated base64 URL (mislabeled as 'hex' with large whitespace padding) resolving to https://jsonkeeper.com/b/L435A, an anonymous JSON paste host, performs an HTTPS GET, extracts JavaScript source from a manifest.session field, writes it to a temp file, and require()s it — with no signature, hash, or pinned-version check. The fetched code runs with the installer's privileges and can be changed by the attacker between fetches. The package metadata is also inconsistent: the package name is webpack-cache-clean, the README is titled webpack-cache-plugin, the repository URL points at webpack-tools/webpack-cache-plugin, and the author is the generic Webpack Tools — a cover story to lure installers searching for legitimate webpack cache tooling. This satisfies install-time-rce: attacker-controlled, unpinned, obfuscated remote code execution fires automatically on default install.