The package is marked as malware by OSV: MAL-2026-1383 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The callback.js file contains code to collect sensitive system information (hostname, OS type, username, IP addresses, DNS configuration, etc.) and exfiltrate it to a hardcoded IP address (168.220.234.152:443) via HTTP POST and GET requests, as well as DNS queries. It also executes arbitrary commands using child_process.execSync. The package.json file includes preinstall and postinstall scripts that execute callback.js, allowing the malicious code to run during installation. The package description mentions "Security research - dependency confusion test", which is suspicious. The combination of data exfiltration, arbitrary command execution, and suspicious installation scripts strongly suggests that this package is malicious.