The package is marked as malware by OSV: MAL-2026-2635 with source: ghsa-malware

Note: This report is updated by a verification record

The package contains malicious scripts in package.json. The test, preinstall, and preupdate scripts use wget to exfiltrate sensitive information (username, current path, and hostname) to a remote webhook. This behavior is indicative of malicious intent.