package.json declares a postinstall hook ("postinstall": "node run.js") that auto-executes on install. The package ships beacon scripts (beacon14.js, beacon_linux.js) that import child_process and http/os, run shell commands such as whoami, read process.env, process.platform, os.hostname(), os.platform(), and transmit the collected host/identity data via http.request GET/POST to a remote endpoint. The data flow (system enumeration -> outbound HTTP) and the install-time auto-execution together constitute a credential/host-info exfiltration beacon. Installer harm: any machine that runs npm install npm-sandbox-ping-r9t2 will silently execute these beacons and leak local identity/environment information to a remote endpoint.