The package is marked as malware by OSV: MAL-2026-1230 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors that, when combined, strongly suggest malicious intent. The preinstall script executes scripts/setup.js, which sends a GET request to a suspicious URL (https://edrxkprbcqxvbhveoqmmpxavp9wwhkqy4.gjq.io/). This script also exfiltrates the hostname and current working directory via the User-Agent header. Furthermore, the script terminates the process immediately after the callback, which is unusual and could be an attempt to hide malicious activity. The combination of a suspicious URL, data exfiltration, and process termination after the callback, along with the use of a preinstall script and the project having few published versions, points towards malicious behavior.