Affected script: "install-scripts:preinstall"
The script collects the local system username, Git configuration details (username and e-mail), and then sends them to a remote server. This behavior could potentially leak sensitive user information and credentials to an external party without the user's knowledge. Furthermore, the distinction in destination server based on the username xmarcgusmano
suggests potentially targeted or testing behavior which is not typical for a legitimate pre-installation script. This could be a sign of an attempt to exfiltrate data or set the stage for further exploitation. The script also connects to an HTTP server when the username is xmarcgusmano
, which is not secure and could be vulnerable to man-in-the-middle attacks. The use of HTTPS in the other branch does not eliminate the concerns regarding unauthorized data exfiltration.
node ./dist/scripts/postinstall.js
The code provided is a part of a post-installation script that is used to clean up certain parts of a package or project after the installation process completes. It deletes specified scripts, configurations, and dependencies from the package.json file and removes certain directories from the 'dist' folder, which are likely to be related to development such as scripts, data, resources, and source directories. While the ability to modify files and directories could be misused in some contexts, there is nothing in this particular snippet that indicates it is being used to run or download remote code, steal sensitive information, escalate privileges, or harm the system. It's also worth noting that such post-installation scripts should be used with caution, and the source of the package should be trusted, as they can execute arbitrary code on the system.
@gusmano/reext
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.