Affected script: "install-scripts:preinstall"
The script uses curl to send the contents of the '/etc/passwd' file to a remote server. The '/etc/passwd' file contains user account information, which can be sensitive. The hostname is used to compose the URL, which indicates that the data is being exfiltrated to a potentially malicious endpoint controlled by the attacker (indicated by the seemingly randomized subdomain on
oastify.com, which could represent a domain used for receiving out-of-band application security test responses). This is a clear sign of an attempt to steal sensitive information.
@atea/warranty-form 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.