The package is marked as malware by OSV: MAL-2026-1318 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious activity. The callback.js script sends system and package information to a suspicious domain, redirect.totally-not-malware.com, which is indicative of data exfiltration. The package.json file includes a preinstall script that executes node callback.js, enabling arbitrary code execution during installation. These factors, combined with the suspicious hostname, strongly suggest that the package is malicious.