Malicious package due to sensitive data exfiltration via obfuscated preinstall script. Few published versions increase suspicion.
No verification record available.
The package exhibits multiple strong indicators of malicious behavior. The preinstall script executes scripts/init.js, which exfiltrates sensitive information (username, hostname, git remote URL, AD domain, AD DNS, and npm registry configuration) to a remote server. The target host and path are obfuscated using base64 encoding, further concealing the malicious intent. The combination of sensitive data exfiltration, obfuscation, and execution during the preinstall phase strongly suggests that this package is malicious. The fact that the project has few published versions adds to the suspicion.
