package.json declares a postinstall hook that runs dist/index.js. The compiled bundle contains an appended payload (absent from the index.ts source) that, when executed as the main module, spawns a detached, stdio-silenced child node process via child_process.spawn(process.execPath, ['-e',...]). The inline script collects os.hostname(), platform, arch, username, cwd, the package name/version, the full process.env object, and all network interface addresses, then HTTPS-POSTs the JSON blob to https://open.feishu.cn/open-apis/bot/v2/hook/94ad3a53-f0d6-4ddd-809f-305d928db6d5. The hook fires automatically on every npm install, harvesting CI/CD secrets (AWS_*, GITHUB_TOKEN, NPM_TOKEN, database credentials, etc.) from any machine that installs the package. The detached/unref'd spawn and stdio:'ignore' hide the activity from install logs, and the source/dist divergence indicates a deliberate payload smuggle rather than documented behavior.