VDB
KO

MAL-2026-10207

Malicious code in react-dom-v17 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f55f6e35ab09a2fcd6521dac51aa4baa4cfa726958bc266a0d56fc14de240a29) Package name impersonates the widely-used `react-dom` package (react-dom-v17). `package.json` declares `preinstall: node index.js`, which fires automatically on `npm install`. The preinstall script (`index.js`) shells out via `child_process.exec` to run `whoami` and `id`, and collects host/user identifiers via `os.hostname()`, `os.userInfo()` (username, uid, gid, shell), `process.platform`, arch, home directory, and cwd. The collected JSON payload is POSTed to a hardcoded Burp Collaborator (oastify.com) subdomain at `https://cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com/detox56`. The oastify.com host is an attacker-controlled out-of-band callback endpoint used for reconnaissance beacons and confirms exfiltration intent. The preinstall shell execution surface also establishes arbitrary command execution on the installer at install time, enabling follow-on payloads.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-dom-v17

No fixed version published yet for react-dom-v17 (npm). Pin to a known-safe version or switch to an alternative.

References