MAL-2026-10401
Malicious code in @espn-ping/react-dmed-oauth (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3bc0467ac62043cf22dd249a99ff1279646dc599702140998ff5b86c79645364) @espn-ping/react-dmed-oauth@666.0.0 declares a preinstall lifecycle script (`node index.js > /dev/null 2>&1`) that automatically executes on `npm install`. index.js shells out via child_process.exec to collect the installer's hostname, current working directory, username, and public IP (via `curl https://ifconfig.me`), then transmits the encoded data via `curl -k` GET to `https://r.dontvisitmy.website/sendreq.php?newdata=...`. Output is suppressed to hide the beacon from the installer's console. The scope `@espn-ping` and version `666.0.0` are consistent with a dependency-confusion beacon targeting an internal ESPN/Disney namespace.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for @espn-ping/react-dmed-oauth (npm). Pin to a known-safe version or switch to an alternative.