The package is marked as malware by OSV: MAL-2026-2619 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The postinstall.js script collects sensitive information including environment variables, SSH keys, AWS/GCP credentials, npm/docker/git configuration, and shell history. It also executes system commands to gather system information. This data is then exfiltrated to a remote server (p1s.uk) via HTTP/HTTPS with SSL certificate validation disabled, making it vulnerable to man-in-the-middle attacks. The combination of these behaviors strongly suggests that this package is designed for malicious purposes.