The package is marked as malware by OSV: MAL-2026-2416 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious characteristics, strongly suggesting it is malware. The presence of hex obfuscation in 6ad264.js and b02e30.js, along with obfuscated variable names and the use of ASCII code arrays, indicates an attempt to hide the code's functionality. The code accesses and executes OS commands using module.constructor._load to load 'os' and 'dns' modules, and accesses the global process object, allowing for arbitrary code execution and information gathering. Furthermore, the install script executes node index.js, enabling immediate arbitrary code execution upon installation. The author's email research@sl4x0.xyz is also suspicious. The project has few versions, low stars and forks which makes it untrustworthy.