On install, package.json runs postinstall: node run.js, which loads beacon scripts (beacon8.js, beacon_linux.js) that import child_process, os, and http, gather host identity (output of whoami, os.hostname(), os.platform()), and POST the collected data to a hardcoded HTTP endpoint via http.request(...). This fires automatically on npm install, providing attacker-controlled reconnaissance of every installer host with no user interaction. The behavior — privileged shell command execution, host identity collection, and outbound HTTP POST from a postinstall hook — matches the active-attack reconnaissance/beacon fingerprint.