This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Package is malware. Collects and exfiltrates sensitive data to an external server. Suspicious install scripts execute the same script multiple times.
The package exhibits multiple strong indicators of malicious behavior. The install.js script collects sensitive system information (hostname, platform, uptime, user information, environment variables) and exfiltrates it to an external server ('https://webhook.site/hyatt'). This is confirmed by both YARA rule nodejs_phone_home and LLM-based file evaluation. Additionally, the package.json file defines 'install', 'postinstall', and 'preinstall' scripts that all execute the same install.js script, which is a highly suspicious practice used to obscure malicious intent by executing actions at different stages of the installation process. The YARA rule npm_preinstall_command also flags the package.json as suspicious. These multiple pieces of evidence strongly suggest malicious intent.