On npm install, the package's postinstall hook executes lib/_compiler.js, which spawns a detached Node process that collects host identity (hostname, username, cwd, IP addresses, npm registry) and the names of environment variables matching NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY, then POSTs them via https.request to a hardcoded DingTalk webhook (oapi.dingtalk.com/robot/send) with an embedded access token. Before sending, the script checks the installer's username and hostname against an evasion list ('sandbox','malware','analyst','cuckoo','analysis','sample') and exits silently when matched, to avoid running in security analysis environments. The combination of automatic install-time execution, host/CI metadata collection, hardcoded attacker-controlled webhook, and analyst-environment evasion is a clear supply-chain exfiltration beacon.