VYPR

npm · Malicious package advisory

Malware

react-v17

MAL-2026-7020

Malicious code in react-v17 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (73dab7161ffcaee5f943894308dd75428e9081b872daaed7ef50218bf98ad44a)
Package name 'react-v17' impersonates the legitimate 'react' package. package.json declares a preinstall hook 'node index.js' that auto-executes on npm install. index.js collects installer identity and host details (os.hostname(), os.userInfo(), os.platform/arch, home directory, cwd) and runs 'whoami' and 'id' via child_process.exec, then HTTPS POSTs the aggregate JSON to a hardcoded Burp Collaborator OOB endpoint at https://1jlay7gzya8akcmqs8repdf7oyupim6b.oastify.com/detox56. The tarball also ships an undeclared ~10.9 KB file 'i' next to index.js that is not referenced by package.json or index.js.

Compromised versions (1)

  • 20.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.