Affected script: "install-scripts:preinstall"
This script collects sensitive information from the user's environment, including package information, current working directory, home directory, hostname, username, DNS servers, and some package.json contents, then it sends this data to a potentially malicious external server. This could lead to a breach of privacy or could be used for more targeted attacks since the hostname and unique identifiers could be used to fingerprint the system. Moreover, the collected information might include data resolved from the package.json file, which could contain sensitive tokens or API keys. The transmission of such data to a third party without consent is a serious security issue.