react-context-form-tdsss @9.0.0
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:48 PM UTC
OSV ID
MAL-2026-6512
Ecosystem
npm
Summary
react-context-form-tdsss@9.0.0 is a dependency-confusion payload. package.json declares scripts.preinstall="node index.js", and index.js issues an HTTPS GET to a hardcoded interactsh/OAST subdomain (d8v0o1a9io6mjndcpbgghpfmkcgcm6dno.oast.online/npm-installed) on install. This beacon discloses the installer's public IP and confirms code execution on the installer's host to the operator of the OAST listener. The package.json description self-identifies as a dependency-confusion PoC and declares a self-dependency, the shape used to squat an internal/private package name on the public registry so that resolution in a victim environment pulls and executes this code. Installing this package causes outbound network beaconing on the installer's machine without consent.
Source: amazon-inspector (7a53e75a65681ee9ea818634ddee1ed52c6c8398dbd68e2b6abca255b24aaf37)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.