The package is marked as malware by OSV: MAL-2026-2653 with source: ghsa-malware

Note: This report is updated by a verification record

The package is a malware because it exhibits multiple malicious behaviors. It collects system information (hostname, username, current working directory, platform details, environment variables) and exfiltrates it to external servers via DNS and HTTPS requests. The domains used for exfiltration, ienfcixqbgvbxkccdoxgfz2zhmspdpiys.oast.fun and www.mygoals.live, are associated with OAST (Out-of-band Application Security Testing), suggesting malicious intent. Furthermore, the package includes a preinstall script that executes node index.js, allowing arbitrary code execution upon installation. These multiple pieces of evidence strongly indicate that this package is malicious.