Supply-chain threat intelligence

Incident detail

criticalnpm·dependency confusion·osv

Malicious code in pp-react-v5 (npm)

pp-react-v5

Risk score

92

AI summary

Indexed incident for pp-react-v5 (npm).

Description

pp-react-v5 is a dependency confusion package published at the inflated version 10.0.0 to win npm resolution over any internally-hosted package of the same name. The package contains only a package.json with no functional source code.

On installation the preinstall script executes a wget command that sends a GET request to http://q9ou9xtw.requestrepo.com/ with the current username (whoami), working directory (pwd), and hostname as query parameters, beaconing the victim machine's identity to the attacker-controlled endpoint.


-= Per source details. Do not edit below this line.=-

The package pp-react-v5 was found to contain malicious code.

The OpenSSF Package Analysis project identified 'pp-react-v5' @ 10.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.

Technical details

Affected versions

=10.0.0=30.0.1>=0

Indicators

  • affected version=10.0.075%
  • affected version=30.0.175%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents