On install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine child_process, os, and http modules to collect host identifiers and send them to a remote endpoint. beacon_linux.js reads os.hostname() and os.platform() and issues an http.request POST carrying that data to a hardcoded host. beacon17.js similarly imports child_process and performs outbound HTTP GETs. The package name ("pkg-telemetry-r4f9" with a random-looking suffix) and its install-time-only behavior are inconsistent with any legitimate library purpose. Installing this package causes automatic, unconsented exfiltration of installer host metadata and provides a remote-execution surface via child_process.