Package name node-path-utils and its README/description claim it is 'an exact copy of the NodeJS path module', impersonating the Node.js core path standard library to lure developers into installing it. On require() of the main entry (path.js), a top-level IIFE invokes loadTokenData(), which decodes a base64-encoded URL (aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9QMENORA== → https://www.jsonkeeper.com/b/P0CND), fetch()es it, and passes the response JSON's content field directly to eval(). jsonkeeper.com is a free, mutable JSON-paste service: whoever controls the paste can swap the served code at any time, executing arbitrary attacker-controlled JavaScript in the consumer's Node process on every import. Additionally, path.js does require('mddriver') at module top with mddriver: "*" in dependencies — an unused, unpinned third-party package pulled into the installer's process at import, providing a second smuggling vector for attacker code via the transitive dependency. The combination of stdlib impersonation, base64-obfuscated remote fetch, eval of mutable paste-host content, and an unused wildcard-pinned sidecar dep is an unambiguous remote-code-execution dropper.