The package advertises itself as auth middleware but its main entry (index.js) is a 21KB obfuscator.io-packed file that, on require, performs a hidden download-and-execute pipeline. The single-file main uses an RC4-decoded 273-entry string array and control-flow flattening to conceal its require targets and network destination. On load it requires fs/os/path/child_process plus an HTTP client, installs no-op handlers for uncaughtException/unhandledRejection to suppress errors, constructs a host string via chained replaceAll calls on an obfuscated literal, performs an HTTP GET, writes the response body to disk with flag 'w+', and then invokes child_process.exec on the fetched bytes with windowsHide:true and cwd=process.cwd(). Any service that imports this package executes attacker-controlled remote code in its process context. The package.json has empty description and author and uses a generic name (@apiwizards/auth-middleware) consistent with namespace abuse targeting developers searching for an auth library.