{"id":"MAL-2026-10401","summary":"Malicious code in @espn-ping/react-dmed-oauth (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3bc0467ac62043cf22dd249a99ff1279646dc599702140998ff5b86c79645364)\n@espn-ping/react-dmed-oauth@666.0.0 declares a preinstall lifecycle script (`node index.js \u003e /dev/null 2\u003e&1`) that automatically executes on `npm install`. index.js shells out via child_process.exec to collect the installer's hostname, current working directory, username, and public IP (via `curl https://ifconfig.me`), then transmits the encoded data via `curl -k` GET to `https://r.dontvisitmy.website/sendreq.php?newdata=...`. Output is suppressed to hide the beacon from the installer's console. The scope `@espn-ping` and version `666.0.0` are consistent with a dependency-confusion beacon targeting an internal ESPN/Disney namespace.\n","modified":"2026-07-13T07:47:05.671816260Z","published":"2026-07-13T05:15:09Z","database_specific":{"malicious-packages-origins":[{"sha256":"3bc0467ac62043cf22dd249a99ff1279646dc599702140998ff5b86c79645364","id":"IN-MAL-2026-009801","source":"amazon-inspector","versions":["666.0.0"],"import_time":"2026-07-13T07:40:09.707090771Z","modified_time":"2026-07-13T05:15:09Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@espn-ping/react-dmed-oauth/v/666.0.0"}],"affected":[{"package":{"name":"@espn-ping/react-dmed-oauth","ecosystem":"npm","purl":"pkg:npm/%40espn-ping/react-dmed-oauth"},"versions":["666.0.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"index.js","sha256":"fb898d2b17155d7515849e84fbe3680a4aa6036c263235f820f189b37aca6f34","tlsh":"ccf09ee274af34b1b3a770844a03640eb6477b4b1cb7c8007d1d42350fd8488a6656e8"},{"path":"package.json","sha256":"b9217c4d23c68a9a1fe4940c26d91ad846d9b7e396117b785e7d006eb1f3ff1c","tlsh":"72e07d348f311c7369d101a6182b404a1364ef2f05147c8c73cb0c1c458d23ba8fa75c"}],"package_integrity":[{"filename":"react-dmed-oauth-666.0.0.tgz","hashes":{"sha512_sri":"sha512-Cck97d4l01o1jeJfpsAq+cx7+hFF8iFR0iz45HypIqlUHl3WOKPa7foOxsOeWZZIY8EpGxEL2bnZKAEOQtZupw==","sha1":"7265e8e4c92590c0f7e5ddb7712e01f425f28164"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@espn-ping/react-dmed-oauth/MAL-2026-10401.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}