npm · Malicious package advisory
Malwarereact-malicious-clone
MAL-2026-4660
Malicious code in react-malicious-clone (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f03498aa5167e02289d4c8984282f6a1b6321af60fb9ff04d0ce9503faefffdd) Package name impersonates React and the package.json copies React's description, homepage (react.dev), bugs URL, and canary versioning scheme. On require/import, index.js synchronously collects os.hostname(), os.userInfo().username, cwd, platform, arch, node version, and iterates process.env filtering keys against /token|key|secret|password|auth|credential|api/i to capture arbitrary installer secrets (CI tokens, npm tokens, AWS keys, GitHub tokens, etc.). The resulting JSON payload is POSTed via https to webhook.site/0240f6ff-33e5-40a5-845a-8e3f80b6d957. The code self-labels '[SUPPLY CHAIN ATTACK - PoC]'. Any consumer requiring this package leaks credential-shaped environment variables to an attacker-controlled webhook.
Compromised versions (1)
- 19.3.0-canary-d5736f09-20260507
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.