Affected script: "install-scripts:preinstall"
The script contains code that sends local user and system information (OS name, Git username, Git email) to a remote server without the user's explicit consent or knowledge. This behavior could be exploited to collect sensitive data from users which might be further used for malicious purposes such as identity theft or phishing attacks. The URLs used in the script (http://localhost:1962 and https://2tak.l.serverhost.name:1962) are indicative of data exfiltration to a possibly untrusted or compromised server. Additionally, the script uses both HTTP and HTTPS, with the HTTP connection lacking encryption, thus potentially exposing data to interception during transit.
node ./dist/scripts/postinstall.js
The code provided is a script that is likely meant to be run after the installation of a npm package (indicated by the use of postinstall.js). The script removes several sections (such as scripts, devDependencies, dependencies, eslintConfig) from the package.json file located a couple of directories up from the script's location, effectively cleaning up the package.json for production use. It also removes certain directories within the ./dist directory. This could be part of an operation to minimize the package for production by deleting unnecessary files and dependencies. There is no apparent malicious activity like stealing sensitive information, getting root access, running or downloading remote code in the script provided.
@gusmano/reext 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.
