The package is marked as malware by OSV: MAL-2026-2620 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The postinstall.js script collects extensive system information, including sensitive files (SSH keys, .env files), environment variables (potential secrets, API keys), and command outputs. This data is then exfiltrated to a suspicious callback host p1s.uk via HTTPS (with a fallback to insecure HTTP). Multiple YARA rules confirm these behaviors, including accessing bash/zsh history, SSH keys, GCP credentials, and exfiltrating system information. The combination of these factors strongly suggests that this package is designed for malicious purposes, specifically data theft and system reconnaissance.