pp-react-v5 is a dependency confusion package published at the inflated version 10.0.0 to win npm resolution over any internally-hosted package of the same name. The package contains only a package.json with no functional source code.
On installation the preinstall script executes a wget command that sends a GET request to http://q9ou9xtw.requestrepo.com/ with the current username (whoami), working directory (pwd), and hostname as query parameters, beaconing the victim machine's identity to the attacker-controlled endpoint.
-= Per source details. Do not edit below this line.=-
The package pp-react-v5 was found to contain malicious code.
The OpenSSF Package Analysis project identified 'pp-react-v5' @ 10.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"10.0.0"
],
"sha256": "b2291adfbdded958f2fa2a51aa5e582d8ec4bad5bb1c5c9b614bd496732c3578",
"source": "ossf-package-analysis",
"modified_time": "2026-05-11T11:20:56Z",
"import_time": "2026-05-12T01:40:23.98730387Z"
},
{
"versions": [
"10.0.0"
],
"sha256": "667950ffe2ed24a98495c0d8d6c3430e3538523c5811caf9fbda829b0773163f",
"modified_time": "2026-05-12T06:53:21Z",
"source": "amazon-inspector",
"import_time": "2026-05-12T07:28:55.481363286Z"
},
{
"versions": [
"30.0.1"
],
"sha256": "7b6506f382410337abd6bc9f24c3108c52ce25f6b359537fda9e9dabb9e077f3",
"modified_time": "2026-07-01T01:40:53Z",
"source": "ossf-package-analysis",
"import_time": "2026-07-01T01:53:48.840373183Z"
}
]
}