The package is marked as malware by OSV: MAL-2026-2409 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The presence of hex obfuscation in 6ad264.js and b02e30.js (Evidences 0 and 4), combined with the use of String.fromCharCode to deobfuscate strings and access sensitive functionalities like module.constructor._load (Evidences 1, 2), strongly suggests malicious intent. The access to the global process object (Evidence 3) further raises concerns. The suspicious install script executing node index.js (Evidence 5) is highly unusual and indicative of arbitrary code execution during installation. The suspicious author email (Evidence 6) adds to the overall suspicion. While low popularity of the project (Evidences 7 and 8) alone isn't conclusive, it reinforces the other evidence pointing towards malicious activity.