The package is marked as malware by OSV: MAL-2026-2618 with source: ghsa-malware

Note: This report is updated by a verification record

The package upstartdr version 99.99.1 is highly likely to be malware. The postinstall.js script exhibits multiple malicious behaviors. It attempts to read sensitive files like SSH keys, AWS/GCP credentials, shell history, and Docker/npm config. It executes system commands to gather system, network, and user information. It collects environment variables potentially containing secrets. All this information is then exfiltrated to a remote server (p1s.uk). The postinstall script in package.json automatically executes this code upon installation. The project has only one published version, which raises further suspicion. Multiple YARA rules like bash_history_high, zsh_history, id_rsa_not_ssh, user_sys_net_disk_recon, nodejs_sysinfoexfil, nodejs_phone_home, gcp_ssh_credentials, linux_server_stealer, curl_https_ssh, and exfil_whoami_hostname match the postinstall.js file, confirming the malicious behavior.