MAL-2026-4660

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-malicious-clone/MAL-2026-4660.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4660

Published

2026-05-24T14:06:28Z

Modified

2026-05-26T06:02:38.285714346Z

Summary

Malicious code in react-malicious-clone (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f03498aa5167e02289d4c8984282f6a1b6321af60fb9ff04d0ce9503faefffdd)

Package name impersonates React and the package.json copies React's description, homepage (react.dev), bugs URL, and canary versioning scheme. On require/import, index.js synchronously collects os.hostname(), os.userInfo().username, cwd, platform, arch, node version, and iterates process.env filtering keys against /token|key|secret|password|auth|credential|api/i to capture arbitrary installer secrets (CI tokens, npm tokens, AWS keys, GitHub tokens, etc.). The resulting JSON payload is POSTed via https to webhook.site/0240f6ff-33e5-40a5-845a-8e3f80b6d957. The code self-labels '[SUPPLY CHAIN ATTACK - PoC]'. Any consumer requiring this package leaks credential-shaped environment variables to an attacker-controlled webhook.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b864ddf2d18e38ac791dd4fbacfa6fb37031ddb37538d91b3e0cebd472246b54",
            "id": "IN-MAL-2026-004508",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T14:06:29Z",
            "versions": [
                "19.3.0-canary-d5736f09-20260507"
            ],
            "import_time": "2026-05-26T05:52:44.307159672Z"
        },
        {
            "sha256": "f03498aa5167e02289d4c8984282f6a1b6321af60fb9ff04d0ce9503faefffdd",
            "import_time": "2026-05-26T05:52:44.182401453Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T14:06:28Z",
            "versions": [
                "19.3.0-canary-d5736f09-20260507"
            ],
            "id": "IN-MAL-2026-004507"
        }
    ]
}

References

https://www.npmjs.com/package/react-malicious-clone/v/19.3.0-canary-d5736f09-20260507

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / react-malicious-clone

Package

Name: react-malicious-clone; View open source insights on deps.dev
Purl: pkg:npm/react-malicious-clone

Affected ranges

Affected versions

19.*

19.3.0-canary-d5736f09-20260507

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-malicious-clone/MAL-2026-4660.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "domains": [
        "webhook.site"
    ],
    "evidence_files": [
        {
            "tlsh": "8b2101f251b4495516b3a6e67043515761fac007bb21f878b3dc82f81fd8adc10b39da",
            "sha256": "29ab3db2edb33c21866ab63f84eb81e6f74e8f8edcb779236a75fafe050ae6b4",
            "path": "index.js"
        },
        {
            "sha256": "cbc19ef4666c75222b6a6b6caf28a12d75c7aa9e2d8e406a2eda258f5edc0601",
            "tlsh": "0621d119d9a49da30de62a9a6c291186a319585f0d493e487b8a942e5b4d0cf10fa31c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "react-malicious-clone-19.3.0-canary-d5736f09-20260507.tgz",
            "hashes": {
                "sha1": "d2094639e3020c4f498a44bfe993e621e3d3b882",
                "sha512_sri": "sha512-CXsdCkC+uj+WK/xaA9JN7/MAM8p5MBOk9//YZkM2gPlzeDhi4zxsgfSpiA0LicHjBcc1xTdd8MzW0DKEOT8hNQ=="
            }
        }
    ]
}