OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10207 confirms this npm version as malicious. Package name impersonates the widely-used `react-dom` package (react-dom-v17). `package.json` declares `preinstall: node index.js`, which fires automatically on `npm install`. The preinstall script (`index.js`) shells out via `child_process.exec` to run `whoami` and `id`, and collects host/user identifiers via `os.hostname()`, `os.userInfo()` (username, uid, gid, shell), `process.platform`, arch, home directory, and...
Decision evidence
public snapshotSource & flagged code
2 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
index.jsView on unpkg · L1