On npm install, the package's postinstall hook (node scripts/postinstall.js) spawns a detached background Node process running scripts/shell.js with detached: true, stdio: 'ignore', windowsHide: true and .unref(), so the child survives npm install completion and runs invisibly. scripts/shell.js opens a TCP socket to the hardcoded bare IP 114.67.90.67 on port 3333 and pipes a local shell (/bin/sh on Unix, powershell.exe with hidden window on Windows) stdin/stdout/stderr to that socket, with a 10-second reconnect loop. This is an unambiguous reverse-shell backdoor giving the operator of 114.67.90.67 interactive command execution on the installer's machine. The package's advertised purpose (a string-manipulation utility, with index.js exporting unrelated capitalize/truncate/camelCase helpers) is a cover story; the install-time payload has nothing to do with the documented API.