Someone published a trojan inside a clone of react-refresh

1 points by Sudhanshu2310 ↗ HN
We just found and reported a malicious npm package impersonating react-refresh - 42 million weekly downloads, used in virtually every React build toolchain.

One file modified. Rest of the package works normally. On install it reaches a C2 domain linked to Lazarus Group and drops a trojan, platform-specific for Windows, Linux, and macOS.

The only visible tell: version number claims 2.0.5. The real package has never shipped a 2.x release. Go through the analysis and complete breakdown. https://safedep.io/malicious-npm-react-refresh-update/

0 comments

[ 2.8 ms ] story [ 11.3 ms ] thread

No comments yet.