npm · Malicious package advisory
Malwarereact-v17
MAL-2026-7020
Malicious code in react-v17 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (73dab7161ffcaee5f943894308dd75428e9081b872daaed7ef50218bf98ad44a) Package name 'react-v17' impersonates the legitimate 'react' package. package.json declares a preinstall hook 'node index.js' that auto-executes on npm install. index.js collects installer identity and host details (os.hostname(), os.userInfo(), os.platform/arch, home directory, cwd) and runs 'whoami' and 'id' via child_process.exec, then HTTPS POSTs the aggregate JSON to a hardcoded Burp Collaborator OOB endpoint at https://1jlay7gzya8akcmqs8repdf7oyupim6b.oastify.com/detox56. The tarball also ships an undeclared ~10.9 KB file 'i' next to index.js that is not referenced by package.json or index.js.
Compromised versions (1)
- 20.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.