Affected script: "install-scripts:preinstall"
This code gathers information from the host system, such as hostname, username, public IP address, and directory path. It then base64-encodes this information and sends a POST request to a central server at "ckqrcfs2vtc00002qnaggj5hgeyyyyyyb.oast.fun". The captured data can be used by the attacker to gain sensitive information about the host system.
Further, on error, it uses nslookup to resolve IP addresses of the targeted URL and send them through child_process.exec which is notorious for command injection if not properly sanitized. It can be used by an attacker to run arbitrary commands on an affected system.
Also, the script tries to delete itself (fs.unlink(__filename) command), which is a common behavior of malware to hide its traces.