The package is marked as malware by OSV: MAL-2026-1384 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. It collects extensive system information (hostname, username, IP addresses, OS details, etc.) and exfiltrates this data to a suspicious IP address (168.220.234.152) via HTTP POST, HTTP GET, and DNS queries. The callback.js file executes arbitrary shell commands using execSync. The package.json file includes preinstall and postinstall scripts that execute callback.js, enabling code execution during installation. The package description mentions a "dependency confusion test," suggesting potential exploitation of vulnerabilities. The package has only one published version, which raises further suspicion. The combination of these factors strongly suggests that this package is malicious.