A malicious npm package named 'node-fetch-utils' was discovered masquerading as a legitimate fetch helper utility. The package declares a remote tarball dependency from GitHub that executes upon installation. It runs an obfuscated postinstall script targeting Windows systems, which downloads a bundled Python runtime and drops it as Microsoft\EdgeBroker\pythonw.exe for persistence. The dropper then uses this disguised runtime to execute a fileless Python implant decrypted in memory and launched hidden via wscript. The dropper scripts self-delete while the disguised runtime remains active on the compromised system, establishing command and control communications.