Multiple suspicious behaviors: suspicious URL, data exfiltration, process termination, preinstall script, and few published versions. Likely malware.
No verification record available.
The package exhibits multiple suspicious behaviors that, when combined, strongly suggest malicious intent. The preinstall script executes scripts/setup.js, which sends a GET request to a suspicious URL (https://edrxkprbcqxvbhveoqmmpxavp9wwhkqy4.gjq.io/). This script also exfiltrates the hostname and current working directory via the User-Agent header. Furthermore, the script terminates the process immediately after the callback, which is unusual and could be an attempt to hide malicious activity. The combination of a suspicious URL, data exfiltration, and process termination after the callback, along with the use of a preinstall script and the project having few published versions, points towards malicious behavior.
