oa-crm-webapi@9.9.99 is a dependency-confusion payload squatting an internal-sounding package name. package.json declares a postinstall hook (node beacon.js) which fires automatically on npm install. beacon.js reads os.hostname() and transmits it to the attacker-controlled Burp Collaborator host yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com via two channels: a DNS lookup of <nonce>.<hostname>.<collaborator-host> (out-of-band DNS exfil) and an HTTPS POST to the same host with the hostname in the body. The 9.9.99 version + generic 'internal placeholder' description is the canonical shape used to hijack private package names by overriding the legitimate internal registry resolution. A successful install both proves code execution on the installer and leaks the internal hostname to an external attacker.