npm · Malicious package advisory
Malwarereact-context-form-tdsss
MAL-2026-6512
Malicious code in react-context-form-tdsss (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7a53e75a65681ee9ea818634ddee1ed52c6c8398dbd68e2b6abca255b24aaf37) react-context-form-tdsss@9.0.0 is a dependency-confusion payload. package.json declares scripts.preinstall="node index.js", and index.js issues an HTTPS GET to a hardcoded interactsh/OAST subdomain (d8v0o1a9io6mjndcpbgghpfmkcgcm6dno.oast.online/npm-installed) on install. This beacon discloses the installer's public IP and confirms code execution on the installer's host to the operator of the OAST listener. The package.json description self-identifies as a dependency-confusion PoC and declares a self-dependency, the shape used to squat an internal/private package name on the public registry so that resolution in a victim environment pulls and executes this code. Installing this package causes outbound network beaconing on the installer's machine without consent. ## Source: ossf-package-analysis (93a527c5b8a2dec60d70994e1423e4138bdc1a6218cf11ff7528919767b3dea3) The OpenSSF Package Analysis project identified 'react-context-form-tdsss' @ 9.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 9.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.