Affected script: "install-scripts:preinstall"
The script collects sensitive data like the project directory (__dirname
), home directory (os.homedir()
), hostname (os.hostname()
), username (os.userInfo().username
), DNS servers (dns.getServers()
), package's resolved URL if present (___resolved
), package version, and the entire contents of package.json
. It then sends this data to a remote server using an HTTPS POST request. The hostname used in the script is likely to be controlled by an attacker, indicated by its structure (appears like a domain generated for receiving data covertly). The data sent can be used to perform further attacks, conduct reconnaissance, or steal sensitive information.