Package collects and sends sensitive system info to a hardcoded server. Multiple YARA matches and LLM analysis confirm suspicious telemetry. Likely malware.
No verification record available.
The package exhibits multiple indicators of malicious behavior. The postinstall.js script collects sensitive system information (hostname, username, OS details, current working directory, git config, CI provider) and transmits it to a hardcoded remote server (npm-package-logger-228835561205.us-central1.run.app) via an HTTPS POST request. This behavior is detected by multiple YARA rules (nodejs_phone_home, nodejs_phone_home_hardcoded_host, post_hardcoded_hardcoded_host_os). Additionally, the LLM-based analysis confirms the telemetry data collection and transmission. While the script checks for a DO_NOT_TRACK environment variable, the overall behavior is suspicious, especially given the project's low popularity and lack of provenance. The combination of these factors strongly suggests malicious intent.