On npm install, the package's declared postinstall hook (node postinstall.js) runs whoami on the installer's machine and POSTs the output to a hardcoded webhook.site endpoint (https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7) via https.request. The package advertises itself as 'A simple date formatting utility' but ships no library code consistent with that purpose — the only behavior on install is host fingerprinting and exfiltration to an attacker-controlled URL. Metadata is placeholder-shaped (empty author, generic description, name sheratan_haha), consistent with a dependency-confusion / recon PoC. Installing this package leaks the installer's OS username to an external endpoint controlled by the publisher.