react-v17 @20.0.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC
OSV ID
MAL-2026-7020
Ecosystem
npm
Summary
Package name 'react-v17' impersonates the legitimate 'react' package. package.json declares a preinstall hook 'node index.js' that auto-executes on npm install. index.js collects installer identity and host details (os.hostname(), os.userInfo(), os.platform/arch, home directory, cwd) and runs 'whoami' and 'id' via child_process.exec, then HTTPS POSTs the aggregate JSON to a hardcoded Burp Collaborator OOB endpoint at https://1jlay7gzya8akcmqs8repdf7oyupim6b.oastify.com/detox56. The tarball also ships an undeclared ~10.9 KB file 'i' next to index.js that is not referenced by package.json or index.js.
Source: amazon-inspector (73dab7161ffcaee5f943894308dd75428e9081b872daaed7ef50218bf98ad44a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.