insight-pdf

The install script and dependency are not directly executing arbitrary remote JavaScript, shelling out to unknown hosts, or using insecure HTTP references, so there's no immediate evidence of active malware. However, the postinstall step causes automated download and installation of browser binaries and may execute package install hooks from Playwright or its transitive dependencies. This introduces supply-chain risk: a malicious or compromised Playwright release (or a compromise of its binary distribution) could result in remote code execution, telemetry/data exfiltration, or other unwanted behavior during install. Review and pin trusted Playwright versions, verify checksums or use an allowlist for binaries if possible, and audit the Playwright package and its install logs when installing in sensitive environments.