The package is marked as malware by OSV: MAL-2026-1317 with source: ghsa-malware

Note: This report is updated by a verification record

The package is a malware because multiple pieces of evidence point to malicious behavior. The preinstall.js script collects sensitive information like hostname, username, Node.js version, current working directory, NPM environment variables, CI environment variables, and network interface information. This data is then exfiltrated to a suspicious webhook URL (webhook.site). The package.json file executes the preinstall.js script during the preinstall phase, allowing arbitrary code execution. The combination of data exfiltration and arbitrary code execution during installation strongly suggests malicious intent.