Package declares "postinstall": "node run.js" in package.json, causing automatic execution of bundled beacon scripts on npm install. beacon29.js loads child_process, https, and fs, reads files via fs.readFileSync and reads process.env, gathers host identity (process.platform), and POSTs/GETs the data to remote endpoints; it also references https://registry.npmjs.org and https://npm.pkg.github.com, consistent with credential/token harvesting and potential self-propagation through registry APIs. beacon_linux.js mirrors the pattern on Linux: require('child_process') + require('http') + os.hostname() + os.platform() followed by http.request(...) POST to a remote host. The package's stated 'metrics pipeline' name is a cover; the only behavior on install is host fingerprinting and outbound exfiltration. Installing this package on a developer or CI machine causes immediate compromise: environment variables (which commonly hold cloud and CI tokens), file contents, and host identifiers are sent to attacker-controlled infrastructure without user interaction.