On npm install, postinstall.js issues an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying os.hostname(), os.userInfo().username, os.platform(), process.cwd(), CI environment indicators (CI, BUILD_BUILDID, AGENT_NAME), and the package name/version. Errors are swallowed silently. The destination is an anonymous third-party request-bin, not a publisher-owned endpoint, so any party holding the webhook URL receives identifying information about every machine that installs this package. The package's README frames itself as a 'defensive squat' of the @getd scoped namespace, but the data flow — installer identifiers leaving the host to an unaffiliated request-bin without consent — is identical to a malicious typosquat beacon. The combination of a name that lures users targeting @getd/* and an unauthenticated metadata beacon at install time is installer-harming regardless of stated intent.