Package is malicious. It exfiltrates user/host info to a remote server with obfuscation, delayed execution, and error suppression via preinstall script.
No verification record available.
The package exhibits multiple strong indicators of malicious behavior. The preinstall script executes node scripts/env-check.js, allowing arbitrary code execution during installation. Both index.js and env-check.js contain code that collects the username and hostname, encodes them using base64, and sends them to a remote server (baooreqyqjveumkkyddc.supabase.co). This data exfiltration is further obfuscated by encoding the hostname and path. A delayed execution of 120 seconds is used, potentially to evade detection. Error handling is suppressed to prevent logging of any issues during the HTTPS request. These multiple pieces of evidence strongly suggest that the package is malicious.
