The package is marked as malware by OSV: MAL-2026-2636 with source: ghsa-malware

Note: This report is updated by a verification record

The package contains suspicious scripts in package.json and package.json.save that exfiltrate sensitive information (username, current path, hostname) to a remote server (webhook.site) using wget during test, preinstall, and preupdate phases. This behavior is detected by both YARA rules (npm_preinstall_command, npm_fetcher) and LLM-based analysis, indicating a high likelihood of malicious intent. The project also has very few published versions, further increasing suspicion.