The package is marked as malware by OSV: MAL-2026-2617 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The postinstall.js script contains code to collect sensitive information like SSH keys, AWS credentials, bash history, and system information. It also executes system commands and attempts to exfiltrate the gathered data to a remote server (p1s.uk) via HTTP/HTTPS POST requests. The YARA rules user_sys_net_disk_recon, bash_history_high, zsh_history, id_rsa_not_ssh, nodejs_sysinfoexfil, nodejs_phone_home, gcp_ssh_credentials, linux_server_stealer, curl_https_ssh, and exfil_whoami_hostname all match the postinstall.js file, indicating reconnaissance, credential theft, and data exfiltration attempts. The LLM analysis confirms these findings, highlighting sensitive file exposure, command execution, and data exfiltration. The postinstall script executing node postinstall.js is a common malware technique.