MAL-2026-10626

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@react-case/option/MAL-2026-10626.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10626
Published
2026-07-15T01:09:12Z
Modified
2026-07-15T05:19:39.736112998Z
Summary
Malicious code in @react-case/option (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c4beffda94b8ea554f153faaf508da7906f78d821d45d2fca7b7b61180740269)

The package's main entrypoint (index.js) is heavily obfuscated with a string-array + RC4-style decoder that reconstructs all API names and the target URL at runtime. On module load it requires fs, os, path, crypto, and childprocess, performs an HTTP GET against the runtime-reconstructed remote host, splits the response on ':', decrypts the parts with createDecipheriv using a hardcoded key/IV, writes the resulting bytes to a file under os.homedir(), and executes that file via childprocess with cwd set to the user's home directory and windowsHide:true. The package ships no README, has an empty description and empty author metadata, and there is no legitimate library functionality — the only effect of requiring it is fetch-decrypt-write-exec of attacker-controlled code on the installer's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T01:09:12Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T01:37:34.905783272Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-010591",
            "sha256": "c4beffda94b8ea554f153faaf508da7906f78d821d45d2fca7b7b61180740269"
        }
    ]
}
References
Credits

Affected packages

npm / @react-case/option

Package

Name
@react-case/option
View open source insights on deps.dev
Purl
pkg:npm/%40react-case/option

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "option-1.0.0.tgz",
            "hashes": {
                "sha1": "e9b7f0528f0aa546952000b028143ab4a46a95c9",
                "sha512_sri": "sha512-6ZETB9EBl0lN3gr38rUSi3kTnry5O4cscqMmhCEbHihBKNa+soUedUPVe3eCGLN3LYxVkYoHMNW03MYd4lUU5A=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e3e7b2e8b98ba8d52f781c1c1ebc8299bdc85da4fc2e5f50be38685a76d03775",
            "path": "index.js",
            "tlsh": "92b297c83fc1b0d04627b0fba95b6594e13a6cccb38c9449f7a6f068fd58314e566b68"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@react-case/option/MAL-2026-10626.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]