The package is marked as malware by OSV: MAL-2026-1027 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple indicators of malicious behavior. Both index.js and setup.py files contain code that collects sensitive information (hostname, username, current directory, DNS servers, package information) and transmits it to external servers via HTTP requests to oastify.com domains. The use of oastify.com, a service for detecting out-of-band interactions, coupled with silent error handling in index.js and the collection of sensitive information, strongly suggests malicious intent. The pysetup_gets_login YARA rule match on setup.py further supports this conclusion. The fact that the project has very few published versions also raises suspicion.