On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers (CI, BUILD_BUILDID, AGENT_NAME), and package name/version, then sends them as query parameters in an HTTPS GET to a hardcoded webhook.site collector (https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5). Errors are swallowed so the install does not fail visibly. The package's own metadata declares it a typosquat targeting @getd/typescript-eslint-rules and frames the beacon as 'defensive security research,' but the on-install behavior identifies any installer (including internal CI build agents) to a third-party endpoint regardless of stated intent.