-= Per source details. Do not edit below this line.=-
Package published as a React navigation library but ships code from an unrelated logger fork with an injected remote-execute payload. lib/levels.js contains a top-level IIFE that performs an HTTP GET to http://mongos-hooks-api.vercel.app/defy/v3 and, on a 404 response, passes a token field from the response body to new Function.constructor('require', res.token)(require), running arbitrary attacker-supplied JavaScript with the package's require binding. lib/const.js stores a base64-encoded secondary URL under the misleading name DEVAPIKEY that decodes to https://jsonkeeper.com/b/4NAKK, an anonymous JSON-paste host usable as a backup payload source. index.js additionally spawns a detached Node child process (process.execPath on lib/caller.js) with stdio ignored and unref()'d on every require. The package.json name and description advertise a React navigation library, while index.js is a chai assertions plugin and lib/ is a fork of pino/flowlimit — a masquerade shape. The remote-execution path fires on module load, so any consumer that requires this package triggers execution of code fetched over plain HTTP from an attacker-controlled endpoint.
{
"malicious-packages-origins": [
{
"sha256": "581bd6ff87fb89c83d76fffd9fac9aab57039cd200f8d9f8991ce3a997511644",
"id": "IN-MAL-2026-009615",
"import_time": "2026-07-10T15:23:37.331898287Z",
"modified_time": "2026-07-10T15:19:41Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "7750397a04f8b936610251ceb6d8b5aa1f2f0c45298935b3bdd8e1e82bc9e24b",
"tlsh": "cff1a43279f460228a1664f5490fb821b176c50b300db9d9f1ae97a43f8f02d9e33b9d",
"path": "lib/levels.js"
},
{
"sha256": "d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f",
"tlsh": "b9c08c8351f0684b04301bb3a50ca991f2a1d26f0884160231f564844b396a92848fb7",
"path": "lib/const.js"
},
{
"sha256": "195c47d5205f56ae30ddd48a1ffbefb40c230264ca4127379b8d4fee15e5da88",
"tlsh": "dfc1cfa839a3e0188523b1f5097fa416d476a027202dd9d8b5ecc2d01fddee89523dfb",
"path": "index.js"
},
{
"tlsh": "cd21bea5d868ac6319ca2591a8690457a136dd078c1cfc0d33e3835c8f9e96f05be73d",
"sha256": "2da9a1d64d808db1e2c8821f6efbcca7ae7edbfc0f9eb68684ad2e645e37c089",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "eth-react-redirection-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-bO4ifiCEKWzqg7EXmDBvjaiUiIFbfXIVWTk2b+0sMR/bTcleMSFEQWHkcGPeAJcPr2UpKcd3uQYv6LX+VV73Qg==",
"sha1": "72c8bcdb10e8f0a06a5d4974907b2df2af5bac4b"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-react-redirection/MAL-2026-10127.json"