The package is marked as malware by OSV: MAL-2026-2654 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The index.js file contains code that collects sensitive system information (hostname, username, OS details, environment variables) and exfiltrates it to ienfcixqbgvbxkccdoxgfz2zhmspdpiys.oast.fun and www.mygoals.live via HTTPS POST requests and DNS resolution, as highlighted by multiple YARA rules and LLM analysis. The package.json file includes a preinstall script that executes node index.js, enabling code execution during installation. This combination of data exfiltration and preinstall script execution strongly suggests malicious intent.