On npm install, the package's postinstall hook (install.js, registered via package.json line 10 "postinstall": "node install.js") downloads a platform-specific executable from https://laogou.us/download/veteran/v1.0.0/veteran_1.0.0_<platform>_<arch>.{tar.gz,zip} (install.js:13 const DOWNLOAD_BASE_URL = 'https://laogou.us/download/veteran'), extracts it via shell tar/unzip, chmod 0o755s it (install.js:165), and immediately executes it (install.js:170 execSync("${BIN_PATH}" version",...)). The download host laogou.us does not match the package's declared publisher/homepage (github.com/yongjie0203/veteran); the URL is not version-pinned to a hash or signature; no checksum or signature verification is performed on the fetched bytes; and source comments suggest the URL is meant to be swapped by future maintainers. The operator of laogou.us can therefore serve arbitrary native code to every installer, with the bytes executed under the installer's user on npm install. This matches the publisher-mismatched, unverified, mutable-host dropper pattern.