Affected script: "install-scripts:preinstall"
The script gathers sensitive information such as the current package name, current directory, home directory, hostname, username, DNS servers, package resolution information, package version, and the entire contents of the package.json file. It then sends this data to a remote server via an HTTPS POST request. This could lead to the exposure of sensitive information and be part of a data exfiltration mechanism which is a security vulnerability. The server it sends data to is most likely controlled by an attacker, indicated by the unusual hostname which might be used for tracking or malicious purposes.
ifl-tokens's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.