Malicious package due to suspicious preinstall script, data exfiltration via User-Agent, process termination, and a suspicious URL. Low version count.
No verification record available.
The package exhibits multiple suspicious behaviors that, when combined, strongly suggest malicious intent. Specifically, the preinstall script executes node scripts/setup.js, which makes a suspicious HTTP request to https://edrxkprbcqxvbhveoqmmpxavp9wwhkqy4.gjq.io/, potentially for data exfiltration or malicious payload download. The script also sends hostname and current working directory in the User-Agent, further indicating data exfiltration. Furthermore, the script terminates the process after the callback request, which is unusual and disruptive. The low number of published versions adds to the suspicion. These multiple indicators point towards malicious activity.
