package.json declares a preinstall hook ("preinstall": "node index.js") that fires automatically on npm install. index.js requires os, dns, https, querystring, and the package's own package.json, then collects the installer's hostname (os.hostname()), username (os.userInfo().username), home directory (os.homedir()), configured DNS servers (dns.getServers()), current working directory, and the full contents of package.json, and POSTs them via HTTPS to the hardcoded webhook https://eo1e4fhn1i67p8r.m.pipedream.net/. This is the canonical dependency-confusion / recon-beacon shape: host identifiers and internal package metadata leave the machine unconditionally at install time to an attacker-controlled endpoint, giving the attacker reconnaissance data on internal package names, corporate hostnames, and user identities to fuel follow-on supply-chain attacks.