MAL-2026-10401

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@espn-ping/react-dmed-oauth/MAL-2026-10401.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10401
Published
2026-07-13T05:15:09Z
Modified
2026-07-13T07:47:05.671816260Z
Summary
Malicious code in @espn-ping/react-dmed-oauth (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3bc0467ac62043cf22dd249a99ff1279646dc599702140998ff5b86c79645364)

@espn-ping/react-dmed-oauth@666.0.0 declares a preinstall lifecycle script (node index.js > /dev/null 2>&1) that automatically executes on npm install. index.js shells out via child_process.exec to collect the installer's hostname, current working directory, username, and public IP (via curl https://ifconfig.me), then transmits the encoded data via curl -k GET to https://r.dontvisitmy.website/sendreq.php?newdata=.... Output is suppressed to hide the beacon from the installer's console. The scope @espn-ping and version 666.0.0 are consistent with a dependency-confusion beacon targeting an internal ESPN/Disney namespace.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "3bc0467ac62043cf22dd249a99ff1279646dc599702140998ff5b86c79645364",
            "id": "IN-MAL-2026-009801",
            "import_time": "2026-07-13T07:40:09.707090771Z",
            "modified_time": "2026-07-13T05:15:09Z",
            "versions": [
                "666.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @espn-ping/react-dmed-oauth

Package

Name
@espn-ping/react-dmed-oauth
View open source insights on deps.dev
Purl
pkg:npm/%40espn-ping/react-dmed-oauth

Affected ranges

Affected versions

666.*
666.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "react-dmed-oauth-666.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Cck97d4l01o1jeJfpsAq+cx7+hFF8iFR0iz45HypIqlUHl3WOKPa7foOxsOeWZZIY8EpGxEL2bnZKAEOQtZupw==",
                "sha1": "7265e8e4c92590c0f7e5ddb7712e01f425f28164"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "ccf09ee274af34b1b3a770844a03640eb6477b4b1cb7c8007d1d42350fd8488a6656e8",
            "sha256": "fb898d2b17155d7515849e84fbe3680a4aa6036c263235f820f189b37aca6f34",
            "path": "index.js"
        },
        {
            "tlsh": "72e07d348f311c7369d101a6182b404a1364ef2f05147c8c73cb0c1c458d23ba8fa75c",
            "sha256": "b9217c4d23c68a9a1fe4940c26d91ad846d9b7e396117b785e7d006eb1f3ff1c",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@espn-ping/react-dmed-oauth/MAL-2026-10401.json"