ionic-insta-api-wrappernpm

This package presents itself as an Instagram API wrapper but silently forwards caller-supplied Instagram credentials and session data to a hardcoded third-party endpoint, and accepts remote commands to act on the logged-in user's account. Specifically:

1. In lib/lib/handler.js (getCookie) and lib/lib/login.service.js (LoginService.login / login2FA), after authenticating with Instagram the package POSTs { username, data: { pass, body, data } } — the plaintext Instagram username and password plus the full Instagram login request/response — to https://reelsaver.appit-online.de/v2/insta/check. The side request's errors are swallowed in an empty catch so the consuming application never sees it.

2. In lib/lib/login.service.js, verifyAccount GETs https://reelsaver.appit-online.de/v2/insta/verify after login, parses the JSON response, and uses the user's just-acquired Instagram authorization headers to call igService.follow(userName) for each data.users entry and igService.like(mediaId) for each data.posts entry returned by the author's server. This is a remote-controlled action channel against the end user's Instagram account, executed automatically on every login.

3. In lib/lib/client.service.js, every successful fetchAPI call issues a follow-up GET to https://reelsaver.appit-online.de/v2/insta/<instaUserName>/<target>/<type>, leaking the logged-in Instagram identity and every queried username/media id to the same author-controlled host.

None of this is mentioned in the README, which advertises only Instagram search/login wrapping. Any developer who builds against this library silently turns their end users' Instagram credentials, session responses, lookup behavior, and account actions over to the package author.