We just found and reported a malicious npm package impersonating react-refresh - 42 million weekly downloads, used in virtually every React build toolchain.

One file modified. Rest of the package works normally. On install it reaches a C2 domain linked to Lazarus Group and drops a trojan, platform-specific for Windows, Linux, and macOS.

The only visible tell: version number claims 2.0.5. The real package has never shipped a 2.x release. Go through the analysis and complete breakdown. https://safedep.io/malicious-npm-react-refresh-update/