The package is marked as malware by OSV: MAL-2026-2500 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The postinstall script executes setup.js (Evidence 2), which contains hex-obfuscated code (Evidence 0) and executes OS commands to open a YouTube video (Evidence 1). While the video is a Rickroll and not inherently malicious, the combination of these factors, including obfuscation and unexpected OS command execution, suggests malicious intent. The detached: true and windowsHide: true options further indicate an attempt to conceal the script's activity.