MAL-2026-3509

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pp-react-v5/MAL-2026-3509.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3509
Published
2026-05-11T00:00:00Z
Modified
2026-07-01T02:01:39.384780448Z
Summary
Malicious code in pp-react-v5 (npm)
Details

pp-react-v5 is a dependency confusion package published at the inflated version 10.0.0 to win npm resolution over any internally-hosted package of the same name. The package contains only a package.json with no functional source code.

On installation the preinstall script executes a wget command that sends a GET request to http://q9ou9xtw.requestrepo.com/ with the current username (whoami), working directory (pwd), and hostname as query parameters, beaconing the victim machine's identity to the attacker-controlled endpoint.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (667950ffe2ed24a98495c0d8d6c3430e3538523c5811caf9fbda829b0773163f)

The package pp-react-v5 was found to contain malicious code.

Source: ossf-package-analysis (b2291adfbdded958f2fa2a51aa5e582d8ec4bad5bb1c5c9b614bd496732c3578)

The OpenSSF Package Analysis project identified 'pp-react-v5' @ 10.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "10.0.0"
            ],
            "sha256": "b2291adfbdded958f2fa2a51aa5e582d8ec4bad5bb1c5c9b614bd496732c3578",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-11T11:20:56Z",
            "import_time": "2026-05-12T01:40:23.98730387Z"
        },
        {
            "versions": [
                "10.0.0"
            ],
            "sha256": "667950ffe2ed24a98495c0d8d6c3430e3538523c5811caf9fbda829b0773163f",
            "modified_time": "2026-05-12T06:53:21Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-12T07:28:55.481363286Z"
        },
        {
            "versions": [
                "30.0.1"
            ],
            "sha256": "7b6506f382410337abd6bc9f24c3108c52ce25f6b359537fda9e9dabb9e077f3",
            "modified_time": "2026-07-01T01:40:53Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-07-01T01:53:48.840373183Z"
        }
    ]
}
References
Credits

Affected packages

npm / pp-react-v5

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

10.*
10.0.0
30.*
30.0.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pp-react-v5/MAL-2026-3509.json"