The unscoped package name 'getd-content-management' impersonates the legitimate @getd/* npm scope (acknowledged in the package's own README). On npm install, the postinstall.js lifecycle script collects host identifiers via os.hostname(), os.userInfo().username, os.platform(), process.cwd(), and CI-related environment variables (CI, BUILD_BUILDID, AGENT_NAME), and transmits them as query-string parameters in an HTTPS GET request to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 — a generic third-party request-capture service unrelated to any publisher infrastructure. Errors are silently swallowed so the installer sees no indication the call occurred. The combination of name-confusion against an existing scope and silent install-time beaconing of internal hostnames, user accounts, build paths, and CI agent identity to an attacker-controlled capture URL is operationally indistinguishable from a malicious typosquat regardless of how the README frames the behavior.