The package is marked as malware by OSV: MAL-2026-1229 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors that, when combined, strongly suggest malicious intent. Specifically, the preinstall script executes node scripts/setup.js, which makes a suspicious HTTP request to https://edrxkprbcqxvbhveoqmmpxavp9wwhkqy4.gjq.io/, potentially for data exfiltration or malicious payload download. The script also sends hostname and current working directory in the User-Agent, further indicating data exfiltration. Furthermore, the script terminates the process after the callback request, which is unusual and disruptive. The low number of published versions adds to the suspicion. These multiple indicators point towards malicious activity.