The package is marked as malware by OSV: MAL-2026-1320 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The primary concern is the remote code execution vulnerability identified in caller.js. The code fetches a string from a remote URL (defaulting to https://jsonkeeper.com/b/ZK45J) and executes it as JavaScript code, allowing for arbitrary code injection. This is a significant security risk. Additionally, the presence of a Discord webhook URL in transports.md suggests potential misuse for malicious activities. While high entropy in images is not directly indicative of malware, it adds to the overall suspicion. Finally, the project having only one published version raises concerns about its maturity and maintenance. The combination of remote code execution and potential Discord webhook abuse strongly suggests malicious intent.