MAL-2026-7020

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-v17/MAL-2026-7020.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7020
Published
2026-07-08T19:30:12Z
Modified
2026-07-08T19:46:48.871795291Z
Summary
Malicious code in react-v17 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (73dab7161ffcaee5f943894308dd75428e9081b872daaed7ef50218bf98ad44a)

Package name 'react-v17' impersonates the legitimate 'react' package. package.json declares a preinstall hook 'node index.js' that auto-executes on npm install. index.js collects installer identity and host details (os.hostname(), os.userInfo(), os.platform/arch, home directory, cwd) and runs 'whoami' and 'id' via child_process.exec, then HTTPS POSTs the aggregate JSON to a hardcoded Burp Collaborator OOB endpoint at https://1jlay7gzya8akcmqs8repdf7oyupim6b.oastify.com/detox56. The tarball also ships an undeclared ~10.9 KB file 'i' next to index.js that is not referenced by package.json or index.js.

Database specific
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-07-08T19:33:49.779663036Z",
            "sha256": "73dab7161ffcaee5f943894308dd75428e9081b872daaed7ef50218bf98ad44a",
            "modified_time": "2026-07-08T19:30:12Z",
            "versions": [
                "20.0.1"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-008252"
        }
    ]
}
References
Credits

Affected packages

npm / react-v17

Package

Affected ranges

Affected versions

20.*
20.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "react-v17-20.0.1.tgz",
            "hashes": {
                "sha1": "2b46e2d8cfb82d7d5207f78da95322619fa3e11a",
                "sha512_sri": "sha512-+eeDnXgw5mbLVewYC+8dMWTmlwfV4vplieN02S8vWdrJY0RpX0XVSyCwfGhWyuNFBlqThpQLsu26DUWavsGejw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "e45161c505f65a241ba7b8494a4f9402b227e0033605de55bfcc8740af9937c9bf0bf2",
            "sha256": "7abadd376ce6457fa7ddeb8b81c18473d480fdb7505903b690ab162996544392",
            "path": "index.js"
        },
        {
            "tlsh": "d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123",
            "sha256": "5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a",
            "path": "i"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-v17/MAL-2026-7020.json"