MAL-2026-4661

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-tracked-tony/MAL-2026-4661.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4661

Published

2026-05-20T05:46:00Z

Modified

2026-05-26T06:02:53.950499869Z

Summary

Malicious code in react-tracked-tony (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c)

react-tracked-tony impersonates the popular react-tracked package: package.json sets name: react-tracked-tony, author: Daishi Kato, and homepage: https://react-tracked.js.org (the real project's site), while the repository URL points at an unrelated user account (github.com/daltonchristiano060-gif/react-tracked-tony.git). The package re-exports the real react-tracked API to appear functional. On require/import in Node, endex.js fetches a JavaScript payload from https://almondco.online/api/droppers/38jmkse over HTTPS with TLS verification explicitly disabled (rejectUnauthorized: false) and executes the response body in-process via new Function('require', text + tail)(require), handing the remote code full Node require access. Before fetching, endex.js enumerates ~20 cloud/CI/sandbox indicators (GitHub Actions, GitLab CI, CircleCI, Travis, Vercel, Netlify, Kubernetes, AWS Lambda/ECS/Batch, Azure, GCP Cloud Run/App Engine) and reads /sys/class/dmi/id/sys_vendor to detect Amazon/Google/Microsoft/QEMU/OpenStack hypervisors, aborting on match — a deliberate anti-analysis gate so the payload only fires on real developer/operator machines. Combination of typosquat + impersonated author metadata + import-time remote-code-exec from a non-publisher domain + TLS verification disabled + sandbox evasion is an unambiguous supply-chain attack.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:50:42.641834809Z",
            "sha256": "eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003473",
            "modified_time": "2026-05-20T05:46:00Z",
            "versions": [
                "2.0.1"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/react-tracked-tony/v/2.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / react-tracked-tony

Package

Name: react-tracked-tony; View open source insights on deps.dev
Purl: pkg:npm/react-tracked-tony

Affected ranges

Affected versions

2.*

2.0.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-tracked-tony/MAL-2026-4661.json"

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-NckhKcQJOWZ+sDXp35SaigIg5WtdkDi8B8NUPtJlUe9aQF/2kC7cYDyT0Oom2TAKmq82q2mMy49N6oezfb9yEg==",
                "sha1": "3945adc077663ded35fdaf6b22c77586d5d6a73e"
            },
            "filename": "react-tracked-tony-2.0.1.tgz"
        }
    ],
    "evidence_files": [
        {
            "sha256": "9dfd6663c1a1d8a452cb356580a060542777b173393f7626b789c15ae10baa99",
            "tlsh": "9fb111d8b9f763390397f1bc464fa50af7ab64032229c511bd5d83603f9127483b2ae9",
            "path": "dist/endex.js"
        },
        {
            "sha256": "49e43b79771ba9064c26dcb8efa298695a45fa988fc3ba151e4ac2d39d0733f8",
            "tlsh": "e9b1ee08c9d38ca31aa6a56c3ea970965519d147cd48bc1c73d9c22e0f0e67f62f4bad",
            "path": "package.json"
        }
    ]
}