{"id":"MAL-2026-4477","summary":"Malicious code in allbridge-example-react (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d1b559cd05fa1b995a6564d71a35fe6bd18897f030af24e064eed9a4ee63e787)\npackage.json declares a preinstall lifecycle script that runs `wget` against https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/ with query parameters carrying $(whoami), $(pwd), and $(hostname). The request fires unconditionally on every `npm install`, transmitting the installing user's username, working directory, and hostname to an attacker-controlled inspection endpoint with no opt-in or documented purpose. The package name impersonates the Allbridge project but ships no library code — only the manifest with the beacon and a single suspicious dependency. This is the canonical dependency-confusion reconnaissance pattern: a lure package that maps internal build environments to enable follow-on targeting.\n","modified":"2026-05-26T06:02:08.654751559Z","published":"2026-05-22T00:47:32Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-004106","versions":["9.0.0"],"import_time":"2026-05-26T05:51:57.090241042Z","sha256":"d1b559cd05fa1b995a6564d71a35fe6bd18897f030af24e064eed9a4ee63e787","modified_time":"2026-05-22T00:47:32Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/allbridge-example-react/v/9.0.0"}],"affected":[{"package":{"name":"allbridge-example-react","ecosystem":"npm","purl":"pkg:npm/allbridge-example-react"},"versions":["9.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"18f0a2799630ea471ec64fa00820925ff671f91b94412e0cdeb323dc458f9df243d958","path":"package.json","sha256":"4de55be65b525ae2aefc4279b0413c957ca850b159e0e7674ce64544df37ab12"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-H6XGIVkGjs7jERAUZz9Q/bIWazEvEl655K/4XcVYCpUE6oXWax/1Wyz5fr5XpYp3+CQ5l3WvRRPHc94D0JLSPQ==","sha1":"77bdd17642932ff5c2c0219accc7bbcec45378d4"},"filename":"allbridge-example-react-9.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/allbridge-example-react/MAL-2026-4477.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}