procwire

The Windows binary dropper. preinstall hook 'node lib/setup.js' guards on Node>=16 then exits unless os.platform()==='win32'. Imports endpointmap/lib/registry and bytecraft; computes the XOR key as Buffer.from(require('endpointmap/package.json').name).slice(0,8) (= ASCII 'endpoint', the helper package's own name, no key constant stored); XOR-decodes the _ep and _p byte arrays and concatenates them into the C2 URL https://files.catbox.moe/j4loim.chk; calls require('./worker').init(url). worker.js (heavy String.fromCharCode obfuscation) downloads the payload with UA 'Microsoft-Delivery-Optimization/10.0' via a 3-method fallback chain (Node https with resumable Range header + rejectUnauthorized:false + 5 retries exp backoff / curl.exe --ssl-no-revoke / bitsadmin BITS job), writes it to the first writable temp dir under a random browser/installer-masquerade filename (msedge_update/chrome_installer/dotnet_host/onedrive_setup/teams_update + hex + .exe), strips Mark-of-the-Web by writing a fake Zone.Identifier ADS with ZoneId=0 to defeat SmartScreen, checks min-size 1024B, then executes via a 3-method fallback chain (direct detached spawn stdio:'ignore' windowsHide / cmd.exe /d /s /c start "" /min / PowerShell Start-Process -WindowStyle Hidden), all detached/unref'd so the payload outlives npm install. Depends on endpointmap + bytecraft. Collides with the legitimate @procwire/* scope. Maintainer [email protected], fabricated GitHub org akuznetsov-oss.