Package masquerades as a string-utility library but ships a postinstall backdoor. On npm install, scripts/postinstall.js spawns scripts/shell.js as a detached background process (stdio:'ignore', windowsHide:true) that survives the install lifecycle. shell.js attempts multiple reverse-shell methods — a Node net socket piping /bin/sh or powershell, bash /dev/tcp, and a Python socket+subprocess payload — connecting to 114.67.90.67 on ports 3334, 4444, 443, 80, 8080, and 53. It additionally issues an HTTP GET to http://114.67.90.67:8333/ping carrying the installer's hostname, username, cwd, and OS platform/release as query parameters, fingerprinting the victim and confirming compromise. A setInterval keep-alive plus an infinite Python reconnect loop maintain persistent C2 access on the installer's machine.