Name of the Vulnerable Software and Affected Versions commnader (affected versions not specified)

Description The issue concerns a typosquatted package that tracks users who have installed it by mistake, thinking it was a similarly named popular package. Upon installation, the package uploads certain information to a remote server, including the name of the downloaded package, the name of the intended package, the Node version, and whether the process is running as sudo. There is no further compromise beyond this information upload.

Recommendations Remove the commnader package from your dependencies and ensure that package names are typed correctly during installation to avoid similar issues in the future.