VYPR

npm · Malicious package advisory

Malware

allbridge-example-react

MAL-2026-4477

Malicious code in allbridge-example-react (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d1b559cd05fa1b995a6564d71a35fe6bd18897f030af24e064eed9a4ee63e787)
package.json declares a preinstall lifecycle script that runs `wget` against https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/ with query parameters carrying $(whoami), $(pwd), and $(hostname). The request fires unconditionally on every `npm install`, transmitting the installing user's username, working directory, and hostname to an attacker-controlled inspection endpoint with no opt-in or documented purpose. The package name impersonates the Allbridge project but ships no library code — only the manifest with the beacon and a single suspicious dependency. This is the canonical dependency-confusion reconnaissance pattern: a lure package that maps internal build environments to enable follow-on targeting.

Compromised versions (1)

  • 9.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.