I’ve checked on both my local machine and on a VPS I run, and the following URL is 302 redirecting to a malicious JS script which pops up a confirmation window and then redirects to ads:
SOURCE URL: https://unpkg.com/react@latest/dist/react.js
MALICIOUS REDIRECT: https://compliance-jessica.xyz/a.php
This is the URL recommended for in-browser development use by https://facebook.github.io/react/docs/installation.html
Can anyone else replicate this?