On npm install, the package's postinstall.js executes whoami via child_process and POSTs the output (along with stderr, error, and a timestamp) to a hardcoded webhook.site collector URL. The package self-describes as 'A simple date formatting utility' and contains no code matching that purpose; the only behavior on install is the host-identity beacon. Package metadata is consistent with a throwaway exfiltration artifact (placeholder name sheratan_test_p, empty author, generic description). Any developer or CI runner installing this package leaks their user/host context to an attacker-controlled third-party collector.