pp-react-v5 @30.0.2
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-3509
Ecosystem
npm
Summary
package.json declares preinstall and postinstall hooks that execute index.js on npm install. The script collects installer host identifiers via os.hostname(), os.userInfo().username, os.homedir(), process.cwd(), dns.getServers(), and the local package.json contents, then POSTs them over HTTPS to a hardcoded interact.sh out-of-band collector subdomain at bvfmpadujgjgmbtzeibi1n3vi1psox11k.oast.fun. The package name 'pp-react-v5', the description 'Internal App bUg b0UntY gollum22 h1', and the inflated 30.0.1 version are consistent with a dependency-confusion probe targeting an internal package name. Installing this package results in unauthenticated disclosure of installer identity, environment, and repository metadata to an attacker-controlled collector.
Source: amazon-inspector (f2ada661adc926404648a9955aaad5c4faefaf24937ec8a75df2deaf0f09716c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.