The package is marked as malware by OSV: MAL-2026-1231 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors indicating it is likely malware. The setup.js script makes a request to a suspicious URL (edrxkprbcqxvbhveoqmmpxavp9wwhkqy4.gjq.io) and exfiltrates installation information within the User-Agent header. It also unconditionally terminates the process after the request. Furthermore, the package.json file executes setup.js during the preinstall phase, allowing arbitrary code execution before installation. The combination of these factors, including the suspicious URL, data exfiltration, forced process exit, and preinstall script execution, strongly suggests malicious intent. Additionally, the project has only published a few versions, which raises further concerns.