-= Per source details. Do not edit below this line.=-
The package's main entrypoint (index.js) is heavily obfuscated with a string-array + RC4-style decoder that reconstructs all API names and the target URL at runtime. On module load it requires fs, os, path, crypto, and childprocess, performs an HTTP GET against the runtime-reconstructed remote host, splits the response on ':', decrypts the parts with createDecipheriv using a hardcoded key/IV, writes the resulting bytes to a file under os.homedir(), and executes that file via childprocess with cwd set to the user's home directory and windowsHide:true. The package ships no README, has an empty description and empty author metadata, and there is no legitimate library functionality — the only effect of requiring it is fetch-decrypt-write-exec of attacker-controlled code on the installer's machine.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-15T01:09:12Z",
"source": "amazon-inspector",
"import_time": "2026-07-15T01:37:34.905783272Z",
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-010591",
"sha256": "c4beffda94b8ea554f153faaf508da7906f78d821d45d2fca7b7b61180740269"
}
]
}{
"package_integrity": [
{
"filename": "option-1.0.0.tgz",
"hashes": {
"sha1": "e9b7f0528f0aa546952000b028143ab4a46a95c9",
"sha512_sri": "sha512-6ZETB9EBl0lN3gr38rUSi3kTnry5O4cscqMmhCEbHihBKNa+soUedUPVe3eCGLN3LYxVkYoHMNW03MYd4lUU5A=="
}
}
],
"evidence_files": [
{
"sha256": "e3e7b2e8b98ba8d52f781c1c1ebc8299bdc85da4fc2e5f50be38685a76d03775",
"path": "index.js",
"tlsh": "92b297c83fc1b0d04627b0fba95b6594e13a6cccb38c9449f7a6f068fd58314e566b68"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@react-case/option/MAL-2026-10626.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]