npm · Malicious package advisory
Malwareallbridge-example-react
MAL-2026-4477
Malicious code in allbridge-example-react (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d1b559cd05fa1b995a6564d71a35fe6bd18897f030af24e064eed9a4ee63e787) package.json declares a preinstall lifecycle script that runs `wget` against https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/ with query parameters carrying $(whoami), $(pwd), and $(hostname). The request fires unconditionally on every `npm install`, transmitting the installing user's username, working directory, and hostname to an attacker-controlled inspection endpoint with no opt-in or documented purpose. The package name impersonates the Allbridge project but ships no library code — only the manifest with the beacon and a single suspicious dependency. This is the canonical dependency-confusion reconnaissance pattern: a lure package that maps internal build environments to enable follow-on targeting.
Compromised versions (1)
- 9.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.