No confirmed malicious attack surface. Installation has no lifecycle execution, and runtime behavior is local TypeScript transformation. The CLI performs one explicit, non-overwriting configuration-file write.
Static reason
No blocking static signals were detected.
Trigger
Import as a Jest transformer or explicitly run ts-vitest config:init.
Impact
No exfiltration, remote execution, persistence, or destructive behavior established.
Mechanism
Local TypeScript transpilation and user-invoked Jest config initialization.
Rationale
Direct inspection shows a conventional Jest/TypeScript transformer with no install-time execution or concrete malicious behavior. The only file write is an explicit CLI command that will not overwrite an existing jest.config.js.
Evidence
package.jsondist/index.jsdist/transformer.jsdist/cli.jsdist/preset.jsdist/types.jsjest.config.js