VYPR

npm · Malicious package advisory

Malware

react-malicious-clone

MAL-2026-4660

Malicious code in react-malicious-clone (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f03498aa5167e02289d4c8984282f6a1b6321af60fb9ff04d0ce9503faefffdd)
Package name impersonates React and the package.json copies React's description, homepage (react.dev), bugs URL, and canary versioning scheme. On require/import, index.js synchronously collects os.hostname(), os.userInfo().username, cwd, platform, arch, node version, and iterates process.env filtering keys against /token|key|secret|password|auth|credential|api/i to capture arbitrary installer secrets (CI tokens, npm tokens, AWS keys, GitHub tokens, etc.). The resulting JSON payload is POSTed via https to webhook.site/0240f6ff-33e5-40a5-845a-8e3f80b6d957. The code self-labels '[SUPPLY CHAIN ATTACK - PoC]'. Any consumer requiring this package leaks credential-shaped environment variables to an attacker-controlled webhook.

Compromised versions (1)

  • 19.3.0-canary-d5736f09-20260507

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.