MAL-2026-6512

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7a53e75a65681ee9ea818634ddee1ed52c6c8398dbd68e2b6abca255b24aaf37) react-context-form-tdsss@9.0.0 is a dependency-confusion payload. package.json declares scripts.preinstall="node index.js", and index.js issues an HTTPS GET to a hardcoded interactsh/OAST subdomain (d8v0o1a9io6mjndcpbgghpfmkcgcm6dno.oast.online/npm-installed) on install. This beacon discloses the installer's public IP and confirms code execution on the installer's host to the operator of the OAST listener. The package.json description self-identifies as a dependency-confusion PoC and declares a self-dependency, the shape used to squat an internal/private package name on the public registry so that resolution in a victim environment pulls and executes this code. Installing this package causes outbound network beaconing on the installer's machine without consent.

## Source: ossf-package-analysis (93a527c5b8a2dec60d70994e1423e4138bdc1a6218cf11ff7528919767b3dea3) The OpenSSF Package Analysis project identified 'react-context-form-tdsss' @ 9.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.