The package is marked as malware by OSV: MAL-2026-2529 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The preinstall.js script collects sensitive system information (username, hostname, network interfaces, DNS servers, etc.) and attempts to exfiltrate this data to a remote server (ienfcixqbgvbxkccdoxgvw1mg2rag0oty.oast.fun) using HTTPS POST/GET requests and DNS resolution. The script also executes arbitrary commands using execSync, posing a significant security risk. The package.json file defines a preinstall script, automatically executing preinstall.js during installation, a common technique used by malicious packages. The combination of data exfiltration, command execution, and preinstall script execution provides strong evidence of malicious intent.