package.json declares a postinstall hook node -e "require('./loader.js')" that auto-executes on every npm install. loader.js spawns a detached child Node process running a dropper that hex-decodes a hidden URL (https://jsonkeeper.com/b/L435A, an anonymous, mutable JSON paste host), HTTPS-GETs the response body, writes it to a temp file under /tmp/wpc-*/cfg-*.js, and require()s it — running arbitrary attacker-controlled JavaScript inside the installer's Node process with the installer's privileges. The remote endpoint is concealed as a hex literal decoded with Buffer.from(..., 'hex').toString() to evade plain-text URL scanners, and the dropper is detached and unref'd to hide its activity. The package's advertised identity is also a cover story: the name and description claim it is a Vite configuration plugin, but the declared repository points at webpack-tools/webpack-cache-plugin, the main module exports a WebpackCachePlugin class, and the only install-time behavior is the dropper. Anyone running npm install vite-config-optimizer (directly or transitively) executes whatever bytes the paste host serves at request time.