react-tracked-tonynpm

react-tracked-tony impersonates the popular react-tracked package: package.json sets name: react-tracked-tony, author: Daishi Kato, and homepage: https://react-tracked.js.org (the real project's site), while the repository URL points at an unrelated user account (github.com/daltonchristiano060-gif/react-tracked-tony.git). The package re-exports the real react-tracked API to appear functional. On require/import in Node, endex.js fetches a JavaScript payload from https://almondco.online/api/droppers/38jmkse over HTTPS with TLS verification explicitly disabled (rejectUnauthorized: false) and executes the response body in-process via new Function('require', text + tail)(require), handing the remote code full Node require access. Before fetching, endex.js enumerates ~20 cloud/CI/sandbox indicators (GitHub Actions, GitLab CI, CircleCI, Travis, Vercel, Netlify, Kubernetes, AWS Lambda/ECS/Batch, Azure, GCP Cloud Run/App Engine) and reads /sys/class/dmi/id/sys_vendor to detect Amazon/Google/Microsoft/QEMU/OpenStack hypervisors, aborting on match — a deliberate anti-analysis gate so the payload only fires on real developer/operator machines. Combination of typosquat + impersonated author metadata + import-time remote-code-exec from a non-publisher domain + TLS verification disabled + sandbox evasion is an unambiguous supply-chain attack.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.