Name of the Vulnerable Software and Affected Versions asynnc versions (affected versions not specified)

Description The issue concerns a typosquatted package that tracks users who have installed it by mistake, thinking it was a similarly named popular package. It uploads various information to a remote server, including the name of the downloaded package, the intended package name, the Node version, and whether the process is running as sudo. There are no reports of further compromise.

Recommendations Remove the asynnc package from your dependencies. Always ensure package names are typed correctly upon installation.