On npm install, the package automatically executes lib/_setup.js via the postinstall lifecycle hook. The script spawns a detached Node process that collects host identifiers (hostname, username, platform, architecture, IPv4 addresses, current working directory, npm registry) and the names of environment variables matching /NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY/, then HTTPS POSTs that payload to a hardcoded DingTalk bot webhook (oapi.dingtalk.com/robot/send) using an embedded access token. Before sending, the script checks whether the username or hostname contains any of 'sandbox', 'malware', 'analyst', 'cuckoo', 'analysis', 'sample' and silently skips the beacon if so — explicit sandbox/analyst evasion that confirms malicious intent. The pattern matches the canonical dependency-confusion reconnaissance beacon used to fingerprint internal CI/build environments for follow-on attacks.