The package is marked as malware by OSV: MAL-2026-2524 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The index.js file contains a suspicious callback URL (dwpmxufjontejuultjhe0dcw571lqawco.oast.fun) used for potential data exfiltration, as detected by both YARA and LLM analysis. It also attempts to exfiltrate the hostname. Additionally, the package.json file includes a preinstall script that executes node index.js, enabling arbitrary code execution during installation. The package has only one published version, raising further suspicion. The combination of these factors strongly suggests malicious intent.