The package is marked as malware by OSV: MAL-2026-1260 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The package.json file contains suspicious preinstall and postinstall scripts that use curl to send sensitive information (username, hostname, current directory, timestamp) to a remote server. This data exfiltration is a significant red flag. Additionally, the main field pointing to .mongorc.js is highly unusual and suggests an attempt to inject malicious code into MongoDB environments. The combination of these factors, including the use of requestrepo.com, which is often associated with malicious activity, leads to the conclusion that this package is likely malware.