Supply-chain threat intelligence
Risk score
92
Indexed incident for pp-react-v5 (npm).
pp-react-v5 is a dependency confusion package published at the inflated version 10.0.0 to win npm resolution over any internally-hosted package of the same name. The package contains only a package.json with no functional source code.
On installation the preinstall script executes a wget command that sends a GET request to http://q9ou9xtw.requestrepo.com/ with the current username (whoami), working directory (pwd), and hostname as query parameters, beaconing the victim machine's identity to the attacker-controlled endpoint.
-= Per source details. Do not edit below this line.=-
The package pp-react-v5 was found to contain malicious code.
The OpenSSF Package Analysis project identified 'pp-react-v5' @ 10.0.0 (npm) as malicious.
It is considered malicious because:
Affected versions
Indicators
Timeline