On npm install, postinstall.js performs an HTTPS GET to a hardcoded webhook.site receiver, leaking the installer's hostname, OS username, platform, current working directory, package name/version, CI/build indicators, and a timestamp via URL query parameters. Errors are swallowed so installation appears to succeed silently. The destination is a public webhook collector — any party holding the UUID path can read every submission, so this is unauthenticated host reconnaissance suitable for follow-on targeting. The package's name resembles the @getd/* scope but is published unscoped by jplopezy (defensive-squat) with no repository and a placeholder homepage; the README's 'defensive squat telemetry' framing does not change the fact that installer-side identity data is shipped off-host without consent on every install. The package has no other functionality.