On npm install, postinstall.js sends an HTTPS POST to https://ddactic-lab.online/sc/beacon carrying the package name/version, Node version, OS, CI-detection result, and the GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, and GITHUB_WORKFLOW environment variables when present. A DNS-lookup fallback encodes the same identifiers as a subdomain under *.b.ddactic-lab.online so the leak still completes even when HTTP egress is filtered — a pattern intended specifically to defeat egress controls. The package itself is a hollow placeholder: package.json describes it as an npm 404 error reference and index.js does nothing but require('web-model-bridge') (its own name) inside a try/catch, so the only effect of installing it is the install-time beacon. Any CI pipeline whose dependency tree references this name will leak the owning GitHub org/repo/workflow identity to an unrelated third-party domain on every build.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.