Affected script: "install-scripts:preinstall"
The script contains code that collects the user's OS name and Git configuration details (including username and email) and sends them to a remote server using HTTP or HTTPS requests. This behavior is characteristic of a data exfiltration attempt, which is considered a serious security vulnerability. The use of an external server with potentially unsecured HTTP communication further heightens the risk, as information could be intercepted or corrupted during transit. Additionally, the indiscriminate copying to a directory outside the intended project scope ('../../../public/') may lead to a directory traversal vulnerability, where an attacker could access or compromise files outside of the intended directory.
node ./dist/scripts/postinstall.js
The script is designed to run after the installation of an npm package. It deletes certain scripts and configurations from the package.json file (such as dev, build, test, watch, coverage, eslintConfig, devDependencies, and dependencies) and removes specific directories within the 'dist' folder. The intention seems to be to clean up the package by removing development-related scripts, configurations, and some directories after installation. There is no indication in the provided code that it is designed to steal sensitive information, gain unauthorized access, run or download remote code, or otherwise harm the system.
@gusmano/reext
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.