react-tracked-tony @2.0.1

Summary

react-tracked-tony impersonates the popular react-tracked package: package.json sets name: react-tracked-tony , author: Daishi Kato , and homepage: https://react-tracked.js.org (the real project's site), while the repository URL points at an unrelated user account (github.com/daltonchristiano060-gif/react-tracked-tony.git). The package re-exports the real react-tracked API to appear functional. On require/import in Node, endex.js fetches a JavaScript payload from https://almondco.online/api/droppers/38jmkse over HTTPS with TLS verification explicitly disabled ( rejectUnauthorized: false ) and executes the response body in-process via new Function('require', text + tail)(require) , handing the remote code full Node require access. Before fetching, endex.js enumerates ~20 cloud/CI/sandbox indicators (GitHub Actions, GitLab CI, CircleCI, Travis, Vercel, Netlify, Kubernetes, AWS Lambda/ECS/Batch, Azure, GCP Cloud Run/App Engine) and reads /sys/class/dmi/id/sys_vendor to detect Amazon/Google/Microsoft/QEMU/OpenStack hypervisors, aborting on match — a deliberate anti-analysis gate so the payload only fires on real developer/operator machines. Combination of typosquat + impersonated author metadata + import-time remote-code-exec from a non-publisher domain + TLS verification disabled + sandbox evasion is an unambiguous supply-chain attack.

Source: amazon-inspector (eeb24dfdd4a970dc44c017056c2a39bed6aa5973a7ec7e94b20c70d90114726c)