The package is marked as malware by OSV: MAL-2026-1233 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple indicators of malicious behavior. Both index.js and setup.py files contain code that collects sensitive system information (hostname, username, current directory, DNS servers, etc.) and transmits it to external servers using Oastify URLs (https://t939aacpj98mgkavtuj7xzvnwe25qwhk6.oastify.com and https://zjmfkgmvtfisqqk130td755t6kcb0go5.oastify.com). The LLM analysis confirms this data exfiltration. Additionally, the YARA rule very_high_entropy matched a file, and there's an extension mismatch in one of the files, further raising suspicion. The combination of these factors strongly suggests malicious intent.