Installing the package triggers a preinstall command before normal package use. The command gathers local and CI environment metadata and transmits it to an external OAST endpoint.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm installation of relativity-foundation-core@6.8.2
Impact
Discloses host, user, working-directory, registry, and CI metadata to a third party without consent.
Mechanism
preinstall-time environment reconnaissance and HTTPS exfiltration
Attack narrative
On installation, npm runs the inline `preinstall` command in `package.json`. It reads hostname and selected environment variables, including CI and repository metadata, serializes and base64-encodes them, then makes an HTTPS request to an OASTify-controlled endpoint. The catch-all error handler suppresses failures. This is unsolicited install-time reconnaissance and exfiltration; the package entrypoint provides no legitimate functionality that would require it.
Rationale
Source inspection confirms concrete preinstall-time collection and external transmission of local/CI metadata. The behavior is unrelated to the package's empty runtime export and is malicious.
Network endpoints1
aiwi9di43fzbjwncfrimdvkgu701orcg.oastify.com/?d=