npm

react-dom-v17 @15.0.1

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC

Malicious

OSV ID

MAL-2026-10207

Ecosystem

npm

Summary

Package name impersonates the widely-used react-dom package (react-dom-v17). package.json declares preinstall: node index.js , which fires automatically on npm install . The preinstall script ( index.js ) shells out via child_process.exec to run whoami and id , and collects host/user identifiers via os.hostname() , os.userInfo() (username, uid, gid, shell), process.platform , arch, home directory, and cwd. The collected JSON payload is POSTed to a hardcoded Burp Collaborator (oastify.com) subdomain at https://cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com/detox56 . The oastify.com host is an attacker-controlled out-of-band callback endpoint used for reconnaissance beacons and confirms exfiltration intent. The preinstall shell execution surface also establishes arbitrary command execution on the installer at install time, enabling follow-on payloads.

Source: amazon-inspector (f55f6e35ab09a2fcd6521dac51aa4baa4cfa726958bc266a0d56fc14de240a29)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.