The package is marked as malware by OSV: MAL-2026-2823 with source: OSV

Note: This report is updated by a verification record

The package contains multiple strong indicators of malicious behavior. The package.json file includes preinstall and postinstall scripts that use curl to download and execute code from a hardcoded IP address (http://64.227.183.144). These scripts also exfiltrate sensitive information such as username (whoami), hostname, current directory, and timestamp. The use of curl in preinstall and postinstall scripts, combined with the exfiltration of user data and execution of downloaded code, strongly suggests malicious intent. The if condition that checks if the current directory is not /tmp is likely an attempt to evade detection in automated build environments. The multiple YARA rule matches further support this conclusion.