The package is marked as malware by OSV: MAL-2026-1486 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The postinstall script executes node a.js, which is a common malware technique. The a.js file then makes multiple HTTP GET requests to https://site.wheezy.io/trello-enterprises-1000.1000.1000 exfiltrating sensitive information such as the current directory, hostname, username, and home directory. The YARA rule get_hardcoded_hardcoded_host_os also matched on a.js, further supporting the conclusion that this package is malicious.