The published tarball contains lib/lib.min.js, a heavily obfuscated file that stashes Node intrinsics on globals (global['r']=require; global['m']=module;) before invoking a Function-constructor eval'd payload. This is the canonical dropper shape: code that needs require access but is structured to evade casual review through a permutation-decoder + Function-eval pipeline. The file is not referenced from lib/index.js (the package main) or any other clean module in the package, whose stated purpose is a small TypeORM transformer for encrypted columns (lib/crypto.js, lib/entity.js, lib/transformer.js show that purpose in clear source). Shipping an obfuscated payload that has no role in the advertised functionality, and that is wired to access Node's require/module via globals when invoked, is unjustified for a column-encryption transformer. Corroborating signal: package.json declares an empty author name with a lookalike email domain (gennagykoroke@vich.com) and no repository or homepage fields — typical placeholder maintainer metadata. While the obfuscated file is dormant on a default require('typeorm-encrypt') (it is not on the load graph from main), its presence in the tarball means any path that loads it — a future patch flipping main, a sibling package requiring typeorm-encrypt/lib/lib.min.js directly, or runtime code in other distribution paths — executes attacker-controlled obfuscated code with full Node intrinsics access. The combination of obfuscation, require-stashing prologue, purpose mismatch, and placeholder maintainer identity is consistent with smuggled malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.