The first thing you should know is that no external code runs here, and that your passwords (including their full hashes) are never transmitted.

Instead, when you hit submit, a SHA-1 hash of your password is created in your browser, and the first 6 characters of that hash are sent to the Have I Been Pwned API. The response contains a list of hashes that begin with the same 6 characters along with how many times that password has been found in data breaches.

JavaScript in your browser then filters through the matching hashes to see if any of them match the full hash of your password and notifies you of how many times that was found.