The file contains a script that executes automatically (e.g., during post-install) and exfiltrates sensitive environment data without user consent. It collects the current working directory, OS username, Node.js version, and platform information, sending them as URL query parameters via an HTTPS GET request to an external OAST (Out-of-Band Security Testing) endpoint (https://0tuokc8oz5k94lkfxck5p421zs5jtlha[.]oastify[.]com/npm-post-install). The code also silently catches errors to hide network failures and avoid disrupting the installation process. This behavior strongly indicates malicious intent, likely for target profiling or supply-chain compromise.
Live on npm for 4 days, 14 hours and 25 minutes before removal. Socket users were protected even while the package was live.