npm

@su-doughnym/react-dlb @99.99.99

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 8:23 PM UTC

Malicious

OSV ID

MAL-2026-6410

Ecosystem

npm

Summary

Package self-identifies as a dependency-confusion bug-bounty proof-of-concept and is published at version 99.99.99 to win resolution priority over an internal package of the same name. The shipped postinstall script (postinstall.js lines 11-13) only reads os.hostname(), os.userInfo().username, process.version, and process.pid and prints them to stdout — no network call, no file write, no credential read, no remote fetch. The current tarball therefore does not exfiltrate or execute attacker-controlled bytes on the installer. The risk is that any organization whose internal package resolution accidentally pulls @su-doughnym/react-dlb instead of an internal package of the same name will execute this author's lifecycle scripts, and a future version under the same name+scope could replace the harmless beacon with a weaponized payload.

Source: amazon-inspector (2269beae8c30caccda966ca3aba35c3eddb4795fba0161045f14758ff150f58b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.