On require(), path.js runs an IIFE that calls a loader which fetches a base64-hidden URL (https://www.jsonkeeper.com/b/XTTBX) from jsonkeeper.com — an anonymous, mutable JSON paste host — and passes the returned data.content to eval(). A second loader fetches https://www.jsonkeeper.com/b/P0CND for the same purpose. Variable names (randomStringRe, tokenStringRe) and base64-encoded URLs are obfuscation to evade scanning. The package name typosquats Node's built-in path module; package.json lists an empty author field and a generic 'Node.js path module' description, while path.js is otherwise a verbatim copy of Node core's path.js with the malicious fetch+eval block injected. Any installer that require()s this package runs attacker-controlled JavaScript in their Node process, with content the attacker can change at any time by editing the paste.

The OpenSSF Package Analysis project identified 'path-extend' @ 1.0.11 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.

• The package executes one or more commands associated with malicious behavior.