Affected script: "install-scripts:preinstall"
The script is leaking system user information, Git user configuration, and attempts to contact an external server with this information, posing a significant privacy and security risk. Additionally, contacting arbitrary servers could be used to download and execute harmful code.
node ./dist/scripts/postinstall.js
The script is a post-installation script for a Node.js package. It modifies the package.json file to remove various script entries and configuration blocks such as 'dev', 'build', 'test', 'watch', 'coverage', 'eslintConfig', 'devDependencies', and 'dependencies'. It also deletes certain directories within the dist
folder like 'scripts', 'data', 'resources', and 'source'. However, one line that intends to delete a directory (../../../public/ext/enterprise
) is commented out and wouldn't execute. There's no evidence that this script is designed to compromise security, steal sensitive information or gain unauthorized access. It seems to be a cleanup script that is run after a package installation.
@gusmano/reext
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.