The package is marked as malware by OSV: MAL-2026-2523 with source: amazon-inspector

Note: This report is updated by a verification record

The package is a malware because it exhibits multiple strong indicators of malicious behavior. The index.js file contains hardcoded Telegram bot credentials and exfiltrates sensitive information like username, hostname, and current path to a Telegram bot. This is a clear sign of data exfiltration. Additionally, the package.json file includes a preinstall script that executes node index.js, enabling arbitrary code execution during installation, which is a common technique used by attackers. The combination of these factors strongly suggests that the package is malicious.