On install, package.json runs node run.js via a postinstall lifecycle hook. The package ships beacon scripts (beacon9.js, beacon_linux.js) that import child_process, os, and http, collect host identity (os.hostname(), os.platform()) and issue outbound HTTP POST/GET requests. This is the canonical install-time host beacon / command-execution shape: arbitrary code runs on the installer's machine via npm install, host fingerprints are emitted over the network, and child_process is available to execute received instructions. The package name (npm-sandbox-research-*) and shipped contents are inconsistent with any legitimate library purpose.