The package declares a postinstall hook ("postinstall": "node run.js") that executes automatically on npm install. The shipped beacon scripts (beacon11.js, beacon_linux.js) load child_process, os, and http, read host identifiers via os.hostname() and os.platform(), and issue outbound HTTP GET/POST requests carrying that data. This is the install-time host-fingerprinting and exfiltration shape: lifecycle execution + system-info collection + outbound network in a single chain, with no legitimate library functionality justifying the behavior.