-= Per source details. Do not edit below this line.=-
The package's default export getPlugin fetches a JSON document from the hardcoded endpoint https://svganchordev.net/icons/108 and passes the returned credits field to new Function('require','module','exports',...,'Promise', data.credits), executing the server-supplied string as JavaScript with full Node.js globals (require, process, Buffer) available. The remote URL is assembled by concatenating protocol/separator/domain/path fragments and the request is framed with an bearrtoken: "logo" header and an icon-retrieval path, disguising a remote code loader as an SVG helper despite the package's advertised role as a React/SVG utility. Declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3, node-machine-id) are consistent with a credential and host-fingerprint stealer stage delivered by the fetched payload. Any caller of the advertised API triggers execution of arbitrary attacker-controlled code on the installer's host, and the payload can be changed server-side at any time.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-15T15:45:21Z",
"sha256": "52d4b717c5de5139b732e16ea9eca2654947ecf17e919334a6dd039c5b60e059",
"versions": [
"5.4.2"
],
"import_time": "2026-07-15T16:34:36.342742205Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010684"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "react-hook-scripts-5.4.2.tgz",
"hashes": {
"sha1": "19b2b7c619e2e677568d190167a2a650e1f50af6",
"sha512_sri": "sha512-hZyPz/YpF/r0n/r39F44mgR+IQAgy+P+bSACdlniifnmG1zcIy2c8gNa5utoxow6GixPUUejbzQNFe0WMo1G4A=="
}
}
],
"evidence_files": [
{
"tlsh": "ebc1616546fa31a36a67e4eef30f10027165e3133759e971f48e42902fca568e5f24e8",
"sha256": "bbf2e5eb654fae0b706618a4172fda87c34834fb2bfeb503bb5a262dd8d3b0b8",
"path": "index.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-hook-scripts/MAL-2026-10684.json"