registry  /  react-dom-v17  /  15.0.1

react-dom-v17@15.0.1

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10207 confirms this npm version as malicious. Package name impersonates the widely-used `react-dom` package (react-dom-v17). `package.json` declares `preinstall: node index.js`, which fires automatically on `npm install`. The preinstall script (`index.js`) shells out via `child_process.exec` to run `whoami` and `id`, and collects host/user identifiers via `os.hostname()`, `os.userInfo()` (username, uid, gid, shell), `process.platform`, arch, home directory, and...

Advisory
MAL-2026-10207
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in react-dom-v17 (npm)
Details
Package name impersonates the widely-used `react-dom` package (react-dom-v17). `package.json` declares `preinstall: node index.js`, which fires automatically on `npm install`. The preinstall script (`index.js`) shells out via `child_process.exec` to run `whoami` and `id`, and collects host/user identifiers via `os.hostname()`, `os.userInfo()` (username, uid, gid, shell), `process.platform`, arch, home directory, and cwd. The collected JSON payload is POSTed to a hardcoded Burp Collaborator (oastify.com) subdomain at `https://cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com/detox56`. The oastify.com host is an attacker-controlled out-of-band callback endpoint used for reconnaissance beacons and confirms exfiltration intent. The preinstall shell execution surface also establishes arbitrary command execution on the installer at install time, enabling follow-on payloads.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.94 KB of source, external domains: cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.preinstall = node index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
1const { exec } = require('child_process'); L2: const os = require('os'); L3: const https = require('https'); L4: const http = require('http'); ... L12: return new Promise((resolve, reject) => { L13: exec(command, (error, stdout, stderr) => { L14: if (error) { ... L30: pwd: '', L31: hostname: os.hostname(), L32: platform: os.platform(), ... L96: if (res.statusCode >= 200 && res.statusCode < 300) { L97: resolve({ statusCode: res.statusCode, body: responseData });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

index.jsView on unpkg · L1

Findings

2 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilityindex.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings