—

MAL-2026-6131

Malicious code in computerrock-babel-preset-react-app (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8987a1638ceebfb3dc8c8fc29e8e696fa15c6fe667697dfc367f59bf56b14cfa) The package impersonates the well-known babel-preset-react-app under a fake org-style prefix and ships no Babel preset code. package.json declares "preinstall": "node index.js", which runs automatically on npm install. index.js collects hostname, platform, arch, homedir, username/uid/gid/shell, OS info, current working directory, and the output of `whoami` and `id`, then POSTs the JSON payload to a hardcoded https://0bccssrkeubggq24k750nrw0erki88wx.oastify.com/detox56 URL (a Burp Collaborator out-of-band exfiltration host). The package's only function is reconnaissance and exfiltration of installer-side identifiers to an attacker-controlled host.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / computerrock-babel-preset-react-app

No fixed version published yet for computerrock-babel-preset-react-app (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/computerrock-babel-preset-react-app/v/15.12.11 [PACKAGE]