Multiple evidences indicate malicious behavior: suspicious URL, data exfiltration, process exiting, and preinstall script execution.
No verification record available.
The package exhibits multiple suspicious behaviors. The preinstall script executes scripts/setup.js, allowing arbitrary code execution before installation (Evidence 4). This script makes a request to a suspicious domain edrxkprbcqxvbhveoqmmpxavp9wwhkqy4.gjq.io (Evidence 0), exfiltrates the hostname and current working directory (Evidence 1), and then exits the process (Evidence 2). The YARA rule npm_preinstall_command is also triggered (Evidence 3). The combination of these factors indicates malicious intent.
