This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Malicious package. Executes hidden script during install to exfiltrate local IP, hostname, and homedir to an OAST server.
The package includes a preinstall script that executes node test.js and redirects all output to /dev/null, hiding its execution. The test.js script exfiltrates sensitive information like local IP, hostname, and home directory to an OAST server (oastify.com) using DNS queries. This combination of a hidden preinstall script and data exfiltration strongly suggests malicious intent.