The package is marked as malware by OSV: MAL-2026-2223 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors that, when combined, strongly suggest malicious intent. The code uses hex obfuscation in 6ad264.js, b02e30.js, and helpers.js to hide its functionality. 6ad264.js further employs dynamic module loading of 'os' and 'dns' using obfuscated strings and accesses the global 'process' object. The package.json includes a suspicious author email domain ('sl4x0.xyz') and an 'install' script that directly executes 'node index.js', enabling arbitrary code execution upon installation. The combination of code obfuscation, dynamic module loading, process object access, a suspicious email, and arbitrary code execution during installation provides compelling evidence of malicious intent.