Package name suggests build telemetry tooling, but the tarball ships beacon scripts (beacon18.js, beacon_linux.js) wired to a postinstall lifecycle hook ("postinstall": "node run.js" in package.json line 9). On install, these scripts collect host identifiers via os.hostname()/os.platform() and child_process, then issue outbound HTTP GET/POST requests via http.request from the installer's machine. This combination — auto-execute on install, host fingerprinting, and outbound HTTP exfiltration — is a classic install-time host beacon / data-exfiltration pattern. There is no legitimate build-tracking reason to fingerprint the host and beacon out at install time without consent or configuration.