Supply-chain threat intelligence
Risk score
92
Indexed incident for react-dom-v17 (npm).
Package name impersonates the widely-used react-dom package (react-dom-v17). package.json declares preinstall: node index.js, which fires automatically on npm install. The preinstall script (index.js) shells out via child_process.exec to run whoami and id, and collects host/user identifiers via os.hostname(), os.userInfo() (username, uid, gid, shell), process.platform, arch, home directory, and cwd. The collected JSON payload is POSTed to a hardcoded Burp Collaborator (oastify.com) subdomain at https://cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com/detox56. The oastify.com host is an attacker-controlled out-of-band callback endpoint used for reconnaissance beacons and confirms exfiltration intent. The preinstall shell execution surface also establishes arbitrary command execution on the installer at install time, enabling follow-on payloads.
Affected versions
Indicators
Timeline