Name of the Vulnerable Software and Affected Versions wepack-cli versions (affected versions not specified)

Description The issue concerns a typosquatted package that tracked users who installed it by mistake, thinking it was a similarly named popular package. Upon installation, the package uploaded certain information to a remote server, including the name of the downloaded package, the name of the intended package, the Node version, and whether the process was running as sudo. There is no indication of further compromise beyond this data collection.

Recommendations Remove the wepack-cli package from your dependencies. Always ensure package names are typed correctly upon installation to avoid similar issues in the future.