extract-axure-data

No clear, direct malware (no reverse shells, no exfiltration to suspicious domains, no explicit credential harvesting) is present in this fragment. However, the module performs two high-risk operations: (1) it installs and imports Playwright at runtime via execSync using environment-influenced download host, and (2) it fetches remote Axure JavaScript and executes it in a Node vm context. If an attacker can control the provided baseUrl or the environment variables, this could be leveraged for sandbox escape or supply-chain redirection. Recommend pinning dependencies, removing runtime installs, and hardening/avoiding execution of untrusted remote JS.