VYPR

npm · Malicious package advisory

Malware

computerrock-babel-preset-react-app

MAL-2026-6131

Malicious code in computerrock-babel-preset-react-app (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8987a1638ceebfb3dc8c8fc29e8e696fa15c6fe667697dfc367f59bf56b14cfa)
The package impersonates the well-known babel-preset-react-app under a fake org-style prefix and ships no Babel preset code. package.json declares "preinstall": "node index.js", which runs automatically on npm install. index.js collects hostname, platform, arch, homedir, username/uid/gid/shell, OS info, current working directory, and the output of `whoami` and `id`, then POSTs the JSON payload to a hardcoded https://0bccssrkeubggq24k750nrw0erki88wx.oastify.com/detox56 URL (a Burp Collaborator out-of-band exfiltration host). The package's only function is reconnaissance and exfiltration of installer-side identifiers to an attacker-controlled host.

Compromised versions (1)

  • 15.12.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.