It actually uses Javascript to hook into the keyboard presses. Originally, it would create a link which had the keypress character passed back to the inguardians webpage. It sends this data with every keypress, not when the form is submitted, so it will send a character with every keypress. It also only puts the keypress javascript event only on password type inputs, so it would miss the username.
I have changed it to use fetch from an image because the link didn't seem to work properly for me. I also changed it to insert the javascript on every input type element. This way, I might get a bunch of junk data, but at least I'm getting all the data that's not check/radio buttons. If I changed the code to send the string on whitespace, then it would increase the time between submits and so prevent two letters from being received in an order different than they were typed.