The package is marked as malware by OSV: MAL-2026-1487 with source: ghsa-malware

Note: This report is updated by a verification record

The package is highly likely to be malware due to multiple strong indicators. The package.json includes a preinstall script executing node payload.js, enabling arbitrary code execution before installation. The payload.js script gathers sensitive system information (hostname, username, platform, Node.js version, cwd) and sends it to a Discord webhook. The script also suppresses error messages, hindering detection of failed requests. These behaviors, combined with the use of a Discord webhook for data exfiltration, strongly suggest malicious intent.