Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in react-dom-v17 (npm)

react-dom-v17

Risk score

92

AI summary

Indexed incident for react-dom-v17 (npm).

Description

Package name impersonates the widely-used react-dom package (react-dom-v17). package.json declares preinstall: node index.js, which fires automatically on npm install. The preinstall script (index.js) shells out via child_process.exec to run whoami and id, and collects host/user identifiers via os.hostname(), os.userInfo() (username, uid, gid, shell), process.platform, arch, home directory, and cwd. The collected JSON payload is POSTed to a hardcoded Burp Collaborator (oastify.com) subdomain at https://cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com/detox56. The oastify.com host is an attacker-controlled out-of-band callback endpoint used for reconnaissance beacons and confirms exfiltration intent. The preinstall shell execution surface also establishes arbitrary command execution on the installer at install time, enabling follow-on payloads.

Technical details

Affected versions

=15.0.1

Indicators

  • affected version=15.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents