The package is marked as malware by OSV: MAL-2026-2408 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits suspicious behavior during installation via the install script node -e "try{require('.')}catch(e){}". This obfuscated command attempts to require the current directory and suppresses errors, potentially executing arbitrary code without user knowledge. Furthermore, the project has low popularity and has published only a few versions of the package. While low popularity alone isn't sufficient, combined with the suspicious install script, it suggests malicious intent.