The package is marked as malware by OSV: MAL-2026-1319 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior, specifically ransomware. It encrypts files (Evidence 3, 4), exfiltrates the encryption key to a Telegram bot (Evidence 2, 6), locks the terminal (Evidence 8), displays a ransom note (Evidence 9), and attempts to persist via shell configuration modification (Evidence 1, 7, 10, 11). The postinstall script executes code upon installation (Evidence 12). These combined behaviors strongly suggest malicious intent.