The package's postinstall lifecycle script (postinstall.js) executes automatically on npm install and POSTs the JSON-serialized contents of the entire process.env to https://eoarlb39lor5s7x.m.pipedream.net. The fetch is wired with .catch(() => {}) so the exfiltration fails silently and produces no installer-visible error. On CI runners and developer machines, process.env routinely holds high-value secrets (GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY, CI provider tokens, arbitrary deploy credentials), all of which are shipped to the attacker-controlled Pipedream webhook in a single bulk dump. There is no license-check, telemetry-disclosure, or other legitimate reason to enumerate the entire environment; the indiscriminate serialization combined with a third-party webhook destination is the canonical install-time credential-harvest shape.