⚠️ This package seems to have critical severity install script vulnerabilities

Affected script: "install-scripts:preinstall"

The script gathers sensitive information such as the current package name, current directory, home directory, hostname, username, DNS servers, package resolution information, package version, and the entire contents of the package.json file. It then sends this data to a remote server via an HTTPS POST request. This could lead to the exposure of sensitive information and be part of a data exfiltration mechanism which is a security vulnerability. The server it sends data to is most likely controlled by an attacker, indicated by the unusual hostname which might be used for tracking or malicious purposes.

Generated on Nov 11, 2023 via pnpm

ifl-tokens 4.27.2

"Indeed app POC "

Package summary

2

issues

1

license

Package created

13 Nov 2023

Version published

11 Nov 2023

Maintainers

0

Total deps

1

Direct deps

0

License

ISC

Issues

2

1 high severity issue

ifl-tokens@4.27.2

Package uses preinstall script: "node index.js"

via: ifl-tokens@4.27.2

1 moderate severity issue

ifl-tokens@4.27.2

Package has no specified source code repository

via: ifl-tokens@4.27.2

Licenses

ISC License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

Cannot

hold-liable

Must

include-copyright

include-license

1 Packages, Including:

ifl-tokens@4.27.2

Direct Dependencies

0

All Dependencies CSV

ⓘ This is a list of ifl-tokens 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.

Name	Version	Size	License	Type	Vulnerabilities

All Versions