On install, package.json runs postinstall: node run.js. run.js imports os, fs, http, https, and child_process and at runtime collects host identifiers (os.hostname(), os.platform()) and reads files from the filesystem (fs.existsSync / fs.readFileSync), then issues outbound HTTP/HTTPS requests including POST calls (run.js lines 322, 329) and GET / http.get fetches (lines 38, 190). The postinstall lifecycle hook causes this code to execute automatically on npm install without consumer interaction, exposing installer host information and local file contents to attacker-controlled network destinations. The package name (random suffix -77d4) and the absence of any documented purpose are consistent with a disposable exfiltration lure rather than a legitimate library.