On install, package.json's postinstall hook executes run.js. The package ships beacon15.js and beacon_linux.js, which import child_process, os, and http and issue outbound HTTP requests carrying host identifiers. beacon_linux.js reads os.hostname() and os.platform() and POSTs them via http.request(); beacon15.js similarly issues GET/http.request() calls referencing host id fields. The combination of a lifecycle hook that runs on every install plus modules that collect host metadata and beacon it outbound matches an install-time host-exfiltration / C2 callback pattern with no legitimate documented purpose.