The package is marked as malware by OSV: MAL-2026-2633 with source: ghsa-malware

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The package.json file contains preinstall, test and preupdate scripts that use wget to exfiltrate sensitive information such as the username, current path, and hostname to a remote server (webhook.site). This is a clear indication of data exfiltration. Furthermore, the project has only one published version, which raises concerns about its maturity and maintenance. These multiple pieces of evidence lead to the conclusion that the package is likely malicious.