On install, package.json declares postinstall: node run.js, which auto-executes run.js when the package is installed. run.js imports os, fs, http, https, and child_process, collects host identity via os.hostname() and os.platform(), reads from the local filesystem, and POSTs the gathered data over HTTP/HTTPS. The combination of automatic install-time execution, host-identity enumeration, filesystem reads, and outbound POST traffic is the canonical install-time host-fingerprinting / exfiltration pattern. Installing this package causes the installer's machine identity and local file content to be sent to a remote endpoint without consent.