On npm install, the package's postinstall hook runs loader.js, which hex-decodes the URL https://jsonkeeper.com/b/INN1F (an anonymous JSON paste host), fetches the response, writes the embedded manifest.session payload to a temporary.js file, and require()'s it inside a detached child node process — executing attacker-controlled JavaScript on the installer's machine. The URL is obfuscated via Buffer.from(, 'hex') and the temporary file is cleaned up after load to hide traces. The package additionally impersonates a webpack utility: README is titled 'webpack-cache-plugin' and instructs users to npm install webpack-cache-plugin --save-dev, while the published name is 'webpack-cache-reset' and the declared repository (github.com/webpack-tools/webpack-cache-plugin) does not exist. Installers are lured under a webpack-ecosystem name into running arbitrary remote code at install time.