This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Multiple evidences suggest malicious behavior: system info exfiltration, arbitrary code execution via install scripts, and a suspicious version number.
The package exhibits multiple strong indicators of malicious behavior. The install.js script collects sensitive system information and exfiltrates it to an external server ('https://webhook.site/hyatt'). This is confirmed by both YARA rule nodejs_phone_home and LLM analysis. Additionally, the package.json file defines 'install', 'postinstall', and 'preinstall' scripts that all execute 'node install.js', allowing arbitrary code execution during installation, which is a common malware technique. The extremely high version number (999.999.999) further raises suspicion.