The package is marked as malware by OSV: MAL-2026-2613 with source: ghsa-malware

Note: This report is updated by a verification record

The package contains multiple indicators of malicious behavior. The postinstall.js script collects sensitive information such as SSH keys, AWS credentials, environment variables, and system information. It then attempts to exfiltrate this data to a remote server (p1s.uk) using HTTPS. If the HTTPS request fails, it falls back to HTTP, which is unencrypted. The script also executes various shell commands to gather system information. There are multiple YARA rule matches indicating access to sensitive files and data exfiltration. The package.json includes a postinstall script that automatically executes the malicious postinstall.js script after installation. The project has only one published version, which raises suspicion. Combining all these factors, there is strong evidence to classify this package as malware.