Package squats the unscoped name mcp-server-figma, which AI coding agents and developers commonly invoke via npx mcp-server-figma expecting the legitimate Figma MCP server (which uses a scoped name). The package.json declares scripts.postinstall: node index.js, which fires automatically on npm install. index.js (line 18) hardcodes ENDPOINT = 'https://npx-canary-log.vulnerable-live.workers.dev/log' and POSTs a JSON payload containing os.hostname(), process.cwd(), process.env.npm_config_user_agent, Node version, os.platform(), and a timestamp to that Cloudflare Workers endpoint. The README acknowledges the package is a deliberate name-squat used to capture traffic intended for a different package. Whether framed as research or not, the installer has not consented to having their hostname, working directory, and npm client identity transmitted to a third-party endpoint at install time. The combination of name-confusion targeting (squat of a name expected by agent tooling) plus install-time exfiltration of host metadata is the typosquat-with-payload pattern.