On npm install, the package's postinstall lifecycle script (postinstall.js) collects installer-side host identifiers — os.hostname(), os.userInfo().username, process.cwd(), platform, and a DNS resolution result — and POSTs them as JSON to the hardcoded endpoint https://opgelost.nu/ (BEACON_URL declared at postinstall.js:15; HTTPS request constructed at line 31; POST issued at line 33; payload assembled at lines 58-66). The fetch fires automatically with no opt-in, and errors are silently swallowed so installers see no indication of the outbound beacon. The behavior is unrelated to any documented package purpose and matches a classic install-time phone-home exfiltration pattern. The package's own metadata declares it to be a scanner test fixture; the executed code, however, is functional exfiltration that runs against any machine that installs it.