The package is marked as malware by OSV: MAL-2026-2407 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple indicators of malicious behavior. The code uses hex obfuscation in multiple files (6ad264.js, b02e30.js, helpers.js) to hide its functionality. The 6ad264.js file dynamically loads core Node.js modules like 'os', 'dns', and 'process', and exposes the process object which can be used to access sensitive information. The package.json includes a suspicious install script (node index.js) that executes arbitrary code during installation. The author's email research@sl4x0.xyz uses a suspicious domain. While the project has low stars/forks and few published versions, the combination of code obfuscation, dynamic loading of modules, process object exposure, and a suspicious install script strongly suggests malicious intent.