The tarball contains live, importable credentials for systems other than the installer's own. src/controllers/internalTrax.controller.js hardcodes Lenskart POS authentication (username tango.eye, password 55eyetango123, header X-Lenskart-API-Key: valyoo123) inside the exported controllers aomupdateCollection and saleUpdateCollection, which post to webservice.pos.lenskart.com and central.pos.lenskart.com. Any consumer of this npm package can use these credentials to authenticate to Lenskart's production POS API as the tango.eye partner and read or mutate employee/store data. Additionally, fir-51e77-firebase-adminsdk-x3sdp-fd902b74ae.json ships a complete Google Cloud service account (project_id: tango-trax, client_email: firebase-adminsdk-k7lom@tango-trax.iam.gserviceaccount.com) including the BEGIN PRIVATE KEY block, granting Firebase Admin privileges over the tango-trax GCP project to anyone who pulls the package. There are no install-time lifecycle hooks; the harm is the redistribution of usable third-party credentials, not auto-execution. The ping matches in the static analysis are unrelated string occurrences in the controller and not exfiltration behavior.