The package is marked as malware by OSV: MAL-2026-2509 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple indicators of malicious behavior. The postinstall.js script collects sensitive system information (hostname, username, OS details, current working directory, git config, CI provider) and transmits it to a hardcoded remote server (npm-package-logger-228835561205.us-central1.run.app) via an HTTPS POST request. This behavior is detected by multiple YARA rules (nodejs_phone_home, nodejs_phone_home_hardcoded_host, post_hardcoded_hardcoded_host_os). Additionally, the LLM-based analysis confirms the telemetry data collection and transmission. While the script checks for a DO_NOT_TRACK environment variable, the overall behavior is suspicious, especially given the project's low popularity and lack of provenance. The combination of these factors strongly suggests malicious intent.