Affected script: "install-scripts:preinstall"
The code contains a portion where it tries to discern the current user's username (osname
), and then, depending on the value of osname
, it sends a request to either a local or remote server containing the username, git configuration data (user's name and email), thus potentially leaking sensitive user information. It makes an unencrypted HTTP request if osname
equals 'xmarcgusmano' and an HTTPS request otherwise. The mere act of sending such user-identifiable information without clear consent and for unknown purposes can be considered a security vulnerability, as it could be part of a data exfiltration technique. This behavior is generally unexpected from a preinstall script as part of a Node.js package installation process.
node ./dist/scripts/postinstall.js
The code provided appears to be a post-installation script for a Node.js package. It uses the fs
module to modify the package.json
file situated three directories up from the script's location by removing various script entries and dependencies. Additionally, it deletes several directories (./dist/scripts
, ./dist/data
, ./dist/resources
, ./dist/source
) within the dist
directory of the package. This seems like it could be for cleanup after installation. There is no immediately obvious malicious functionality, such as code that steals sensitive information, gains unauthorized access, or downloads and executes remote code. However, there is a commented out line that could potentially remove a directory outside the package's scope, but as it is commented out it's not a concern unless activated. It's always recommended to conduct a thorough review and understand the context to ensure safety before running scripts, especially those that modify files or directories.
@gusmano/reext
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.