Affected script: "install-scripts:preinstall"
The index.js
script collects sensitive information from the user's system and sends it to an external server. The data it collects includes the project directory, user home directory, hostname, username, DNS servers, the resolved URL if present, package version, and entire package.json content. This information could potentially include sensitive data such as private API keys or other secrets. It transmits this data to a specified URL ("9jtd6rt6pqm65h6twz7s9refa6gx4nsc.oastify.com") which is likely under the control of an attacker. The comments in the code suggest replacing with a known penetration testing server such as Burp Collaborator, Interactsh, or Pipedream, which are services commonly used for identifying security vulnerabilities. This behavior is indicative of malicious intent, potentially being part of a supply chain attack aimed at exfiltrating data from developers' systems.