package.json declares a postinstall hook ("postinstall": "node run.js") that executes run.js automatically on every npm install. run.js imports os, fs, http, https, and child_process, reads host identifiers including os.hostname() and os.platform(), reads files from disk via fs.readFileSync, and issues outbound HTTP POST requests carrying that data. The package's stated name ("metrics-probe") with a random hex suffix, combined with an install-time host-fingerprinting beacon and no library functionality, matches the shape of an installer-side reconnaissance / data-exfiltration payload that fires automatically on npm install without any user action.