Severity: Critical
CVSS Score: 9.8
Versions 1.0.2, 1.0.3, 1.0.4 and 1.0.5 of `8.9.4` contain malicious code as a preinstall script. The package reads the system's SSH keys but does not upload it to a remote server. ## Recommendation Remove the package from your environment. There is no evidence of further compromise at the moment.