GitGot: GitHub Leveraged by Cybercriminals to Store Stolen Data
It appears that the package author was in the process of building out the malware and adding layers of deception. Fortunately, the package was detected and removed from npm before that could happen.