package.json declares scripts.postinstall = node postinstall.js. On every npm install, postinstall.js runs execSync('id') and POSTs a JSON body containing the id output, os.hostname(), platform, architecture, process.cwd(), and Node version to the hardcoded URL https://webhook.site/fceebb0d-9f11-4ac0-98db-6f6b3925f7d3 (postinstall.js line 14, exfil call constructed via https.request at line 21 with POST at line 24). The behavior is unconditional, undisclosed in the README (Does nothing much), and fires on a default install. Although the package self-describes as a POC, the install-time mechanism is identical to an active reconnaissance/exfiltration payload: any developer or CI machine installing this package leaks its identity (uid/gid/groups via id, hostname, cwd, platform) to an attacker-readable webhook bin.