The package advertises itself as an email confirmation/verification utility, but the shipped code contains no such functionality — index.js exports only a single getThemeColor function returning a color string. The real behavior is in install-hook.js, executed via the postinstall lifecycle script. It writes a.git/hooks/post-checkout hook into the installer's local repository whose contents are powershell -NoP -NonI -W Hidden -Enc <base64>. The base64 blob decodes to UTF-16LE PowerShell that downloads https://github.com/Dimitrijenco/Sticky_note/releases/download/v2/launcher.bin, XOR-decrypts the response with key 0x42, writes the result to %TEMP%\tmp.exe, executes it hidden via Start-Process -WindowStyle Hidden, sleeps, and deletes it. The dropper URL is hosted on an unrelated third-party GitHub account whose repository name (Sticky_note) is unrelated to the package's stated purpose. Two layers of obfuscation (base64-encoded UTF-16LE PowerShell + XOR-encrypted payload) are used to hide both the destination and the executed bytes. The persistence mechanism — a git post-checkout hook — re-triggers the download-and-execute path on every future git checkout in any repository where the package was installed, surviving package uninstall.