The package is marked as malware by OSV: MAL-2026-2611 with source: ghsa-malware

Note: This report is updated by a verification record

The package upstart-lending-status version 99.99.1 is highly likely to be malware. Multiple YARA rules and LLM-based analysis of postinstall.js show strong evidence of malicious behavior. Specifically, the script accesses bash and zsh history, SSH private keys, and GCP credentials. It also collects user, system, disk, and network information, and attempts to exfiltrate this data to a remote server (p1s.uk) using both HTTPS and HTTP. The package.json contains a postinstall script that executes node postinstall.js upon installation, which is a common malware technique. Finally, the project has only one published version, which can be a sign of malicious intent. The combination of these factors strongly suggests that this package is malicious.