On npm install, package.json's postinstall hook runs node -e "require('./loader.js')". loader.js spawns a detached node process that decodes a hex-encoded URL (https://jsonkeeper.com/b/L435A — an anonymous, mutable paste host), performs an HTTPS GET, writes the response's session field to a temporary.js file, and require()s it — executing attacker-controlled JavaScript on the installer's machine. The URL is obfuscated as a hex literal padded with whitespace inside Buffer.from(...) to evade naive string scanners. The detached spawn lets npm install exit cleanly while the dropper continues asynchronously. The package's advertised purpose is a webpack cache plugin, which does not justify any network access at install time. The package name webpack-cache-cycle and README title webpack-cache-plugin impersonate legitimate webpack tooling, with placeholder author metadata (Webpack Tools) and a non-existent GitHub repository.