This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Package collects system info and sends to untrusted server, plus suspicious install scripts indicate malicious behavior.
The package exhibits multiple strong indicators of malicious behavior. The install.js script collects sensitive system information (hostname, platform, uptime, user info, environment variables) and sends it to an external, untrusted server (webhook.site/hyatt). This is confirmed by both YARA rule nodejs_phone_home and LLM analysis. Additionally, the package.json file defines install, postinstall, and preinstall scripts that all execute node install.js, enabling arbitrary code execution during installation. This is flagged by both YARA rule npm_preinstall_command and LLM analysis. The combination of data exfiltration and suspicious install scripts strongly suggests malicious intent.