npm · Malicious package advisory
Malwarecomputerrock-babel-preset-react-app
MAL-2026-6131
Malicious code in computerrock-babel-preset-react-app (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8987a1638ceebfb3dc8c8fc29e8e696fa15c6fe667697dfc367f59bf56b14cfa) The package impersonates the well-known babel-preset-react-app under a fake org-style prefix and ships no Babel preset code. package.json declares "preinstall": "node index.js", which runs automatically on npm install. index.js collects hostname, platform, arch, homedir, username/uid/gid/shell, OS info, current working directory, and the output of `whoami` and `id`, then POSTs the JSON payload to a hardcoded https://0bccssrkeubggq24k750nrw0erki88wx.oastify.com/detox56 URL (a Burp Collaborator out-of-band exfiltration host). The package's only function is reconnaissance and exfiltration of installer-side identifiers to an attacker-controlled host.
Compromised versions (1)
- 15.12.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.