MAL-2026-4477

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/allbridge-example-react/MAL-2026-4477.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4477

Published

2026-05-22T00:47:32Z

Modified

2026-05-26T06:02:08.654751559Z

Summary

Malicious code in allbridge-example-react (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d1b559cd05fa1b995a6564d71a35fe6bd18897f030af24e064eed9a4ee63e787)

package.json declares a preinstall lifecycle script that runs wget against https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/ with query parameters carrying $(whoami), $(pwd), and $(hostname). The request fires unconditionally on every npm install, transmitting the installing user's username, working directory, and hostname to an attacker-controlled inspection endpoint with no opt-in or documented purpose. The package name impersonates the Allbridge project but ships no library code — only the manifest with the beacon and a single suspicious dependency. This is the canonical dependency-confusion reconnaissance pattern: a lure package that maps internal build environments to enable follow-on targeting.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004106",
            "versions": [
                "9.0.0"
            ],
            "sha256": "d1b559cd05fa1b995a6564d71a35fe6bd18897f030af24e064eed9a4ee63e787",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T00:47:32Z",
            "import_time": "2026-05-26T05:51:57.090241042Z"
        }
    ]
}

References

https://www.npmjs.com/package/allbridge-example-react/v/9.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / allbridge-example-react

Package

Name: allbridge-example-react; View open source insights on deps.dev
Purl: pkg:npm/allbridge-example-react

Affected ranges

Affected versions

9.*

9.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "4de55be65b525ae2aefc4279b0413c957ca850b159e0e7674ce64544df37ab12",
            "tlsh": "18f0a2799630ea471ec64fa00820925ff671f91b94412e0cdeb323dc458f9df243d958"
        }
    ],
    "package_integrity": [
        {
            "filename": "allbridge-example-react-9.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-H6XGIVkGjs7jERAUZz9Q/bIWazEvEl655K/4XcVYCpUE6oXWax/1Wyz5fr5XpYp3+CQ5l3WvRRPHc94D0JLSPQ==",
                "sha1": "77bdd17642932ff5c2c0219accc7bbcec45378d4"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/allbridge-example-react/MAL-2026-4477.json"