@rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node notify.js || true"; notify.js collects os.hostname(), os.userInfo().username, os.platform(), and a timestamp and POSTs them as JSON to https://2.25.140.71:8443/rockawayx/depconf-poc with rejectUnauthorized: false (TLS verification disabled). The destination is a hardcoded bare IPv4, not a publisher-owned domain. Any build that resolves @rockawayx/* against the public registry — the canonical dependency-confusion victim — will pull this package and silently transmit host identifiers to the bare IP. The README frames the package as authorized security research, but the code performs the same install-time exfiltration any dependency-confusion attacker would, and consumers in any pipeline (not only the targeted organization) trigger the beacon without consent.