On npm install, the package's postinstall hook (postinstall.js) requires index.js, whose top-level scanAndExfiltrate() call walks the installer's working directory and parent directories for sensitive files (.env,.aws/credentials,.ssh/id_rsa,.npmrc,.netrc,.git-credentials, service-account.json, and similar) and POSTs their contents via execSync('curl...') to a hardcoded Discord webhook. The webhook URL is split into two base64-encoded chunks (aHR0cHM6Ly9kaXNjb3JkLmNvbS9hcGkvd2ViaG9va3Mv plus a base64-encoded webhook ID/token) and reassembled at runtime to evade simple string scanners. The combination of installer-secret enumeration, hardcoded attacker-controlled exfil endpoint, base64 obfuscation, and unconditional execution under the postinstall lifecycle hook is a textbook supply-chain credential-theft attack.