index.js imports child_process and contains a hardcoded outbound POST to https://tg-wallet-manager.vercel.app, with additional fetch() calls to the same destination. The code reads environment data and host identifiers and ships them to this attacker-controlled endpoint. The package name advertises a TypeScript linter helper, but the embedded behavior is unrelated to linting and matches the shape of a credential/host-info beacon. The hardcoded third-party Vercel-hosted endpoint, combined with environment reads and child_process import, constitutes an installer-side exfiltration / RCE staging surface with no legitimate purpose for a 'linter builder' package.