The package is marked as malware by OSV: MAL-2025-190621 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The index.js file contains code designed to exfiltrate sensitive information, including environment variables, shell secrets, AWS credentials, SSH data, and credentials from common configuration files. This data is collected using shell commands, base64 encoded, and sent to a remote server. The package.json file includes a preinstall script that executes node index.js, allowing the package to run arbitrary code during installation, a common malware technique. The combination of data exfiltration and arbitrary code execution during installation strongly suggests malicious intent. Several YARA rules also matched the index.js and package.json files, further supporting this conclusion.