{"id":"MAL-2026-6512","summary":"Malicious code in react-context-form-tdsss (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7a53e75a65681ee9ea818634ddee1ed52c6c8398dbd68e2b6abca255b24aaf37)\nreact-context-form-tdsss@9.0.0 is a dependency-confusion payload. package.json declares scripts.preinstall=\"node index.js\", and index.js issues an HTTPS GET to a hardcoded interactsh/OAST subdomain (d8v0o1a9io6mjndcpbgghpfmkcgcm6dno.oast.online/npm-installed) on install. This beacon discloses the installer's public IP and confirms code execution on the installer's host to the operator of the OAST listener. The package.json description self-identifies as a dependency-confusion PoC and declares a self-dependency, the shape used to squat an internal/private package name on the public registry so that resolution in a victim environment pulls and executes this code. Installing this package causes outbound network beaconing on the installer's machine without consent.\n\n## Source: ossf-package-analysis (93a527c5b8a2dec60d70994e1423e4138bdc1a6218cf11ff7528919767b3dea3)\nThe OpenSSF Package Analysis project identified 'react-context-form-tdsss' @ 9.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-26T08:01:24.918832720Z","published":"2026-06-26T05:44:13Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-26T06:28:52.922629038Z","modified_time":"2026-06-26T05:44:13Z","sha256":"7a53e75a65681ee9ea818634ddee1ed52c6c8398dbd68e2b6abca255b24aaf37","versions":["9.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-007596"},{"import_time":"2026-06-26T07:52:01.307662647Z","modified_time":"2026-06-26T07:51:51Z","sha256":"93a527c5b8a2dec60d70994e1423e4138bdc1a6218cf11ff7528919767b3dea3","versions":["9.0.0"],"source":"ossf-package-analysis"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-context-form-tdsss/v/9.0.0"}],"affected":[{"package":{"name":"react-context-form-tdsss","ecosystem":"npm","purl":"pkg:npm/react-context-form-tdsss"},"versions":["9.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"7dd02be600fa0120187092c54501ae5e755bc4302e49b5f29a08026186817f886ea5c5","sha256":"314b544d422705c6162049715a5d12edf0928a1ce7b1e811715aa64167eeff76","path":"index.js"},{"tlsh":"84d05e20cc14d9b329e619f2447941066ba9ed2a900a9cdd55c2800c8adcdea4aae749","sha256":"8639e0e83cada84a6c57aa3add7fbf60597493536944ad02bfd1cd6e9e3bd193","path":"package.json"}],"package_integrity":[{"filename":"react-context-form-tdsss-9.0.0.tgz","hashes":{"sha512_sri":"sha512-zE51emM9hmo+0cdMh1n7JEBBfHuPZe3JBhFZiSPR8x/uKLjpF5Rogzql5k3KD5qmFF0DxtMX/nvLt6oQ2U2XvQ==","sha1":"9b4a14cefe511f40556e34191545ce4aa8d31096"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-context-form-tdsss/MAL-2026-6512.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}