On npm install, the package's lifecycle script (index.js lines 7-19) reads /flag.txt from the installer's host (falling back to cat /flag*) and PUTs the file contents in a JSON payload to a hardcoded endpoint at http://127.0.0.1:3000/api/modules/ECT-987654. The package.json declares name: ect-472839, version: 100.0.1, description: "Probe", and an empty author — the classic dependency-confusion probe fingerprint (high version number, throwaway metadata, no advertised functionality). The package has no legitimate purpose: its sole install-time effect is to read a CTF-style filesystem artifact and ship it to a service on the loopback interface. Although the destination is 127.0.0.1, on a host where some local service is bound to:3000 (or a dependency-confusion attack target where the attacker is running such a service), the file contents are exfiltrated. This is a malicious supply-chain probe, not a utility library.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.