The package is marked as malware by OSV: MAL-2026-2413 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The presence of hex obfuscation in 6ad264.js and b02e30.js (Evidences 0, 1, 5, 6, 8) combined with dynamic code execution using module.constructor._load (Evidence 2), access to the global process object (Evidence 3), and the export of OS, DNS, and Process objects (Evidence 4) raise significant concerns. Furthermore, the obfuscation of a domain name 'oob.sl4x0.xyz' (Evidences 7, 9), a suspicious author email domain 'sl4x0.xyz' (Evidence 10), and the highly unusual 'install' script executing 'node index.js' (Evidence 11) collectively point towards malicious intent. The combination of these factors strongly suggests that this package is designed to perform malicious actions.