On npm install, postinstall.js collects host identifiers (os.hostname, os.userInfo username, os.platform, current working directory, CI environment variable, and package name/version) and sends them as query-string parameters in an HTTPS GET to a hardcoded webhook.site collector URL (postinstall.js line 18: https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5?pkg=...&host=...&user=...&platform=...&cwd=...&ci=...). The fetch fires automatically on install and errors are silently swallowed. The package self-describes as a 'defensive typo-squat' research artifact, but installer-side identifiers are exfiltrated to a third-party request collector without consent regardless of stated intent. The package name pattern targets users who mistype an ESLint rules package, increasing the chance of unintended installation.