The package is marked as malware by OSV: MAL-2026-2616 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The postinstall.js script attempts to collect sensitive information including SSH keys, AWS/GCP credentials, environment variables, and bash/zsh history. It executes system commands to gather user, system, disk, and network information. The collected data is then exfiltrated to a remote server (p1s.uk) via HTTPS with disabled SSL certificate validation and a fallback to HTTP, making the connection vulnerable to man-in-the-middle attacks. The YARA rules also confirm these findings, detecting access to sensitive files and system information exfiltration. The postinstall script in package.json triggers the execution of postinstall.js immediately after installation, a common malware technique. The project has only one published version, raising further suspicion.