@help-forms/[email protected] includes a heavily obfuscated postinstall script that runs automatically on npm install. The script ascends the directory tree to identify the project root and uses a DJB hash of the path as a cache key to limit execution frequency. It detects the operating system platform, constructs a URL from obfuscated strings, and downloads a platform-specific binary to the system temporary directory. This binary is executed detached and without standard input/output, with no integrity checks or signature verification. The package is a decoy, missing critical source files, causing runtime errors for consumers after the malicious payload has executed. This combination of obfuscation, install-time outbound fetch, platform-specific binary execution, project fingerprinting, and decoy package structure is characteristic of a supply-chain dropper malware.

The malicious postinstall script executes automatically during package installation, potentially running arbitrary platform-specific code on the victim's system without user consent or verification. The dropped binary runs detached in the background, which could enable persistent malicious activity. The package's decoy nature means legitimate functionality is broken, but the primary risk is the silent execution of unverified code fetched from an external source. There is no evidence of known exploits in the wild yet.

No official patch or remediation is currently available for this package version. Users should avoid installing @help-forms/application-aff version 3.4.3. Remove any installations of this package from projects and dependency trees. Monitor for updates from the package maintainer or npm advisories for any official fixes or removals. Consider using package integrity verification and supply chain security tools to detect and block such malicious packages.