The package is marked as malware by OSV: MAL-2026-1483 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious characteristics. The js_hex_obfuscation YARA rule detected obfuscation in lib.js. Additionally, the LLM analysis identified the use of eval() to execute a dynamically generated string, which is a strong indicator of potential malicious behavior. The package also has very few published versions, which can be a sign of low maintenance or malicious intent. Combining these factors, the package is classified as malware.