MAL-2026-10207
Malicious code in react-dom-v17 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f55f6e35ab09a2fcd6521dac51aa4baa4cfa726958bc266a0d56fc14de240a29) Package name impersonates the widely-used `react-dom` package (react-dom-v17). `package.json` declares `preinstall: node index.js`, which fires automatically on `npm install`. The preinstall script (`index.js`) shells out via `child_process.exec` to run `whoami` and `id`, and collects host/user identifiers via `os.hostname()`, `os.userInfo()` (username, uid, gid, shell), `process.platform`, arch, home directory, and cwd. The collected JSON payload is POSTed to a hardcoded Burp Collaborator (oastify.com) subdomain at `https://cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com/detox56`. The oastify.com host is an attacker-controlled out-of-band callback endpoint used for reconnaissance beacons and confirms exfiltration intent. The preinstall shell execution surface also establishes arbitrary command execution on the installer at install time, enabling follow-on payloads.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for react-dom-v17 (npm). Pin to a known-safe version or switch to an alternative.