On npm install, the package's preinstall hook (node index.js) reads /flag.txt (falling back to execSync('cat /flag*')) and transmits the captured contents in a JSON manifest field via HTTP PUT to a hardcoded endpoint at 127.0.0.1:3000/api/modules/ECT-987654. The package has no legitimate functionality — its description is simply 'Probe', it ships only index.js plus package.json, and the sole effect of installation is to read an installer-side file and ship it to whatever process is listening on the loopback port. This is a CTF/supply-chain probe payload: filesystem read + shell command execution + outbound HTTP, all auto-fired at install time.