The package is marked as malware by OSV: MAL-2026-2511 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The preinstall script in package.json executes node preinstall.js, which exfiltrates system information (hostname and git email) to an external server. The repository URL also points to a potentially attacker-controlled GitHub organization, indicating a possible supply chain attack. Additionally, the package has only one published version, which can be a sign of malicious intent. These combined factors strongly suggest that the package is malicious.