OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10401 confirms this npm version as malicious. @espn-ping/react-dmed-oauth@666.0.0 declares a preinstall lifecycle script (`node index.js > /dev/null 2>&1`) that automatically executes on `npm install`. index.js shells out via child_process.exec to collect the installer's hostname, current working directory, username, and public IP (via `curl https://ifconfig.me`), then transmits the encoded data via `curl -k` GET to...
Advisory
MAL-2026-10401
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @espn-ping/react-dmed-oauth (npm)
Details
@espn-ping/react-dmed-oauth@666.0.0 declares a preinstall lifecycle script (`node index.js > /dev/null 2>&1`) that automatically executes on `npm install`. index.js shells out via child_process.exec to collect the installer's hostname, current working directory, username, and public IP (via `curl https://ifconfig.me`), then transmits the encoded data via `curl -k` GET to `https://r.dontvisitmy.website/sendreq.php?newdata=...`. Output is suppressed to hide the beacon from the installer's console. The scope `@espn-ping` and version `666.0.0` are consistent with a dependency-confusion beacon targeting an internal ESPN/Disney namespace.
Decision reason
OpenSSF Malicious Packages via OSV confirms @espn-ping/react-dmed-oauth@666.0.0 as malicious (MAL-2026-10401): Malicious code in @espn-ping/react-dmed-oauth (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory