package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install. callback.js collects installer-side identity and environment data — username, uid/gid, homedir, hostname, platform, cwd, local network interfaces, external IP via api.ipify.org, Node version, and CI/secret-presence flags (AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN, DOCKER_PASSWORD) — and POSTs the result to a hardcoded Discord webhook (https://discord.com/api/webhooks/1516163806559076442/...). A DNS-based exfiltration fallback is also implemented. The package self-identifies as a dependency-confusion PoC and is published at version 999.0.0 to outrank private-registry packages of the same name; any build pipeline that resolves setka-editor from the public npm registry will execute the callback and leak the listed data. Regardless of stated research intent, the install-time exfiltration of installer host data and CI secret-presence flags to an attacker-controlled Discord endpoint is a real supply-chain attack against any pipeline that resolves this name.