-= Per source details. Do not edit below this line.=-
Package name 'react-v17' impersonates the legitimate 'react' package. package.json declares a preinstall hook 'node index.js' that auto-executes on npm install. index.js collects installer identity and host details (os.hostname(), os.userInfo(), os.platform/arch, home directory, cwd) and runs 'whoami' and 'id' via child_process.exec, then HTTPS POSTs the aggregate JSON to a hardcoded Burp Collaborator OOB endpoint at https://1jlay7gzya8akcmqs8repdf7oyupim6b.oastify.com/detox56. The tarball also ships an undeclared ~10.9 KB file 'i' next to index.js that is not referenced by package.json or index.js.
{
"malicious-packages-origins": [
{
"import_time": "2026-07-08T19:33:49.779663036Z",
"sha256": "73dab7161ffcaee5f943894308dd75428e9081b872daaed7ef50218bf98ad44a",
"modified_time": "2026-07-08T19:30:12Z",
"versions": [
"20.0.1"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-008252"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "react-v17-20.0.1.tgz",
"hashes": {
"sha1": "2b46e2d8cfb82d7d5207f78da95322619fa3e11a",
"sha512_sri": "sha512-+eeDnXgw5mbLVewYC+8dMWTmlwfV4vplieN02S8vWdrJY0RpX0XVSyCwfGhWyuNFBlqThpQLsu26DUWavsGejw=="
}
}
],
"evidence_files": [
{
"tlsh": "e45161c505f65a241ba7b8494a4f9402b227e0033605de55bfcc8740af9937c9bf0bf2",
"sha256": "7abadd376ce6457fa7ddeb8b81c18473d480fdb7505903b690ab162996544392",
"path": "index.js"
},
{
"tlsh": "d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123",
"sha256": "5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a",
"path": "i"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-v17/MAL-2026-7020.json"