Affected script: "install-scripts:preinstall"
The script sends local user information (OS username, Git config name, and email) to a remote server, which could be used for malicious purposes such as phishing or unauthorized access. The use of HTTP and HTTPS requests to send sensitive data to an external endpoint is a potential security vulnerability, as this data could be intercepted or misused by an attacker.
node ./dist/scripts/postinstall.js
The script appears to be a post-installation cleanup script for a Node.js project. It performs the following actions:
fs
module for filesystem operations and the chalk
module for colored console output.package.json
file from the project root.dev
, build
, test
, watch
, coverage
, eslintConfig
, devDependencies
, and dependencies
../dist/scripts
, ./dist/data
, ./dist/resources
, and ./dist/source
directories recursively and with force.../../../public/ext/enterprise
directory, which could have been a vulnerability if it was trying to access directories outside of the project scope.@gusmano/reext
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.