On npm install, postinstall.js unconditionally sends an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying the installer's hostname (os.hostname()), username (os.userInfo().username), platform (os.platform()), current working directory, package name/version, CI environment indicators, and a timestamp. Errors are silently swallowed so the install never visibly fails. The package.json self-describes as a 'defensive typo-squat' placeholder for the @getd/* namespace, but regardless of stated intent the behavior is non-consensual install-time transmission of installer identifiers to a third-party request-capture service. Anyone with the webhook URL — including the operator and anyone they share captures with — receives a log of every machine that fat-fingers an install of this name. The typosquat framing combined with the beacon means installers who mistype the target name are silently fingerprinted.