Affected script: "install-scripts:preinstall"
The code makes an HTTP or HTTPS request to a server, transmitting the current user's OS username, Git name, and Git email address, which can be sensitive information. There are also code fragments that copy files within the system, which might be manipulated for harmful aims. The combination of information leakage and internal file operations could be leveraged to prepare or execute an attack on the system or its user.
@gusmano/reext's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.