VYPR

npm · Malicious package advisory

Malware

react-dom-v17

MAL-2026-10207

Malicious code in react-dom-v17 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f55f6e35ab09a2fcd6521dac51aa4baa4cfa726958bc266a0d56fc14de240a29)
Package name impersonates the widely-used `react-dom` package (react-dom-v17). `package.json` declares `preinstall: node index.js`, which fires automatically on `npm install`. The preinstall script (`index.js`) shells out via `child_process.exec` to run `whoami` and `id`, and collects host/user identifiers via `os.hostname()`, `os.userInfo()` (username, uid, gid, shell), `process.platform`, arch, home directory, and cwd. The collected JSON payload is POSTed to a hardcoded Burp Collaborator (oastify.com) subdomain at `https://cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com/detox56`. The oastify.com host is an attacker-controlled out-of-band callback endpoint used for reconnaissance beacons and confirms exfiltration intent. The preinstall shell execution surface also establishes arbitrary command execution on the installer at install time, enabling follow-on payloads.

Compromised versions (1)

  • 15.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.