The package is marked as malware by OSV: MAL-2026-1232 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The preinstall script executes scripts/setup.js, allowing arbitrary code execution before installation (Evidence 4). This script makes a request to a suspicious domain edrxkprbcqxvbhveoqmmpxavp9wwhkqy4.gjq.io (Evidence 0), exfiltrates the hostname and current working directory (Evidence 1), and then exits the process (Evidence 2). The YARA rule npm_preinstall_command is also triggered (Evidence 3). The combination of these factors indicates malicious intent.