MAL-2026-4661

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-tracked-tony/MAL-2026-4661.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4661
Aliases
  • GHSA-6734-623v-3p4r
Published
2026-05-20T05:46:00Z
Modified
2026-06-10T15:31:30.454976805Z
Summary
Malicious code in react-tracked-tony (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c)

react-tracked-tony impersonates the popular react-tracked package: package.json sets name: react-tracked-tony, author: Daishi Kato, and homepage: https://react-tracked.js.org (the real project's site), while the repository URL points at an unrelated user account (github.com/daltonchristiano060-gif/react-tracked-tony.git). The package re-exports the real react-tracked API to appear functional. On require/import in Node, endex.js fetches a JavaScript payload from https://almondco.online/api/droppers/38jmkse over HTTPS with TLS verification explicitly disabled (rejectUnauthorized: false) and executes the response body in-process via new Function('require', text + tail)(require), handing the remote code full Node require access. Before fetching, endex.js enumerates ~20 cloud/CI/sandbox indicators (GitHub Actions, GitLab CI, CircleCI, Travis, Vercel, Netlify, Kubernetes, AWS Lambda/ECS/Batch, Azure, GCP Cloud Run/App Engine) and reads /sys/class/dmi/id/sys_vendor to detect Amazon/Google/Microsoft/QEMU/OpenStack hypervisors, aborting on match — a deliberate anti-analysis gate so the payload only fires on real developer/operator machines. Combination of typosquat + impersonated author metadata + import-time remote-code-exec from a non-publisher domain + TLS verification disabled + sandbox evasion is an unambiguous supply-chain attack.

Source: ghsa-malware (16d4f6d0ea3297067353e713c7c2b6ee7079c323e17da9e2b4ea952592db09d8)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.0.1"
            ],
            "id": "IN-MAL-2026-003473",
            "modified_time": "2026-05-20T05:46:00Z",
            "import_time": "2026-05-26T05:50:42.641834809Z",
            "sha256": "eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c",
            "source": "amazon-inspector"
        },
        {
            "sha256": "16d4f6d0ea3297067353e713c7c2b6ee7079c323e17da9e2b4ea952592db09d8",
            "id": "GHSA-6734-623v-3p4r",
            "import_time": "2026-06-10T15:25:13.626991057Z",
            "modified_time": "2026-06-10T13:55:05Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware"
        }
    ]
}
References
Credits

Affected packages

npm / react-tracked-tony

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "9fb111d8b9f763390397f1bc464fa50af7ab64032229c511bd5d83603f9127483b2ae9",
            "sha256": "9dfd6663c1a1d8a452cb356580a060542777b173393f7626b789c15ae10baa99",
            "path": "dist/endex.js"
        },
        {
            "tlsh": "e9b1ee08c9d38ca31aa6a56c3ea970965519d147cd48bc1c73d9c22e0f0e67f62f4bad",
            "sha256": "49e43b79771ba9064c26dcb8efa298695a45fa988fc3ba151e4ac2d39d0733f8",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "react-tracked-tony-2.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-NckhKcQJOWZ+sDXp35SaigIg5WtdkDi8B8NUPtJlUe9aQF/2kC7cYDyT0Oom2TAKmq82q2mMy49N6oezfb9yEg==",
                "sha1": "3945adc077663ded35fdaf6b22c77586d5d6a73e"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-tracked-tony/MAL-2026-4661.json"