{"id":"MAL-2026-4660","summary":"Malicious code in react-malicious-clone (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f03498aa5167e02289d4c8984282f6a1b6321af60fb9ff04d0ce9503faefffdd)\nPackage name impersonates React and the package.json copies React's description, homepage (react.dev), bugs URL, and canary versioning scheme. On require/import, index.js synchronously collects os.hostname(), os.userInfo().username, cwd, platform, arch, node version, and iterates process.env filtering keys against /token|key|secret|password|auth|credential|api/i to capture arbitrary installer secrets (CI tokens, npm tokens, AWS keys, GitHub tokens, etc.). The resulting JSON payload is POSTed via https to webhook.site/0240f6ff-33e5-40a5-845a-8e3f80b6d957. The code self-labels '[SUPPLY CHAIN ATTACK - PoC]'. Any consumer requiring this package leaks credential-shaped environment variables to an attacker-controlled webhook.\n","modified":"2026-05-26T06:02:38.285714346Z","published":"2026-05-24T14:06:28Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-24T14:06:29Z","sha256":"b864ddf2d18e38ac791dd4fbacfa6fb37031ddb37538d91b3e0cebd472246b54","import_time":"2026-05-26T05:52:44.307159672Z","id":"IN-MAL-2026-004508","source":"amazon-inspector","versions":["19.3.0-canary-d5736f09-20260507"]},{"modified_time":"2026-05-24T14:06:28Z","sha256":"f03498aa5167e02289d4c8984282f6a1b6321af60fb9ff04d0ce9503faefffdd","import_time":"2026-05-26T05:52:44.182401453Z","id":"IN-MAL-2026-004507","source":"amazon-inspector","versions":["19.3.0-canary-d5736f09-20260507"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-malicious-clone/v/19.3.0-canary-d5736f09-20260507"}],"affected":[{"package":{"name":"react-malicious-clone","ecosystem":"npm","purl":"pkg:npm/react-malicious-clone"},"versions":["19.3.0-canary-d5736f09-20260507"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"29ab3db2edb33c21866ab63f84eb81e6f74e8f8edcb779236a75fafe050ae6b4","tlsh":"8b2101f251b4495516b3a6e67043515761fac007bb21f878b3dc82f81fd8adc10b39da","path":"index.js"},{"tlsh":"0621d119d9a49da30de62a9a6c291186a319585f0d493e487b8a942e5b4d0cf10fa31c","sha256":"cbc19ef4666c75222b6a6b6caf28a12d75c7aa9e2d8e406a2eda258f5edc0601","path":"package.json"}],"package_integrity":[{"filename":"react-malicious-clone-19.3.0-canary-d5736f09-20260507.tgz","hashes":{"sha512_sri":"sha512-CXsdCkC+uj+WK/xaA9JN7/MAM8p5MBOk9//YZkM2gPlzeDhi4zxsgfSpiA0LicHjBcc1xTdd8MzW0DKEOT8hNQ==","sha1":"d2094639e3020c4f498a44bfe993e621e3d3b882"}}],"domains":["webhook.site"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-malicious-clone/MAL-2026-4660.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}