This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Malware: Executes code on install, exfiltrates data via DNS to a suspicious domain. Contains a preinstall script and phone-home behavior.
The package is a malware because it contains a preinstall script that executes arbitrary code (node index.js). The index.js file collects sensitive information (IP, MAC, hostname, username, CWD) and exfiltrates it via DNS resolution to a suspicious domain (d17u6rtjp2jt2l9c64u0mhagodssdwzxf.oast.me). This behavior is highly indicative of malicious intent. The YARA rules nodejs_phone_home and npm_preinstall_command confirm this assessment.