The package is marked as malware by OSV: MAL-2026-2588 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The package.json includes a preinstall script that executes node poc.js, enabling arbitrary code execution upon installation. The poc.js script gathers sensitive system information (user info, hostname, network config, running processes) and attempts to read sensitive files (SSH keys, AWS credentials, Docker config). This data is then exfiltrated to a suspicious domain, cvbykwjip0ba35fyfewhmj4f46axynmc.oastify.com, associated with OAST and data exfiltration. The YARA rules confirm the suspicious behavior of the poc.js file.