@tonsdk/core impersonates the legitimate @ton/core TON blockchain SDK. On npm install, scripts/postinstall.js executes automatically and performs two attacker-controlled actions against a hardcoded bare-IP C2 at 213.218.160.189 (ports 8080 and 80) over plaintext HTTP. First, it base64-encodes a JSON fingerprint of the installer host — hostname, username, platform, arch — and sends it as a GET query string to /s?q=<base64>, leaking host identifiers on every install. Second, it fetches a response payload, optionally XOR-decrypts it, and passes the result to eval(), giving the operator arbitrary remote code execution in the installer's Node process. The script also probes for VM/sandbox/analyst tooling (vmtoolsd, vboxservice, wireshark, x64dbg, ida) to suppress execution in researcher environments. The package description and name target developers searching for TON SDK tooling; the repository URL (aspect-build/tonsdk) is unrelated to the real TON foundation.