MAL-2026-10684

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-hook-scripts/MAL-2026-10684.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10684
Published
2026-07-15T15:45:21Z
Modified
2026-07-15T16:49:27.669629300Z
Summary
Malicious code in react-hook-scripts (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (52d4b717c5de5139b732e16ea9eca2654947ecf17e919334a6dd039c5b60e059)

The package's default export getPlugin fetches a JSON document from the hardcoded endpoint https://svganchordev.net/icons/108 and passes the returned credits field to new Function('require','module','exports',...,'Promise', data.credits), executing the server-supplied string as JavaScript with full Node.js globals (require, process, Buffer) available. The remote URL is assembled by concatenating protocol/separator/domain/path fragments and the request is framed with an bearrtoken: "logo" header and an icon-retrieval path, disguising a remote code loader as an SVG helper despite the package's advertised role as a React/SVG utility. Declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3, node-machine-id) are consistent with a credential and host-fingerprint stealer stage delivered by the fetched payload. Any caller of the advertised API triggers execution of arbitrary attacker-controlled code on the installer's host, and the payload can be changed server-side at any time.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T15:45:21Z",
            "sha256": "52d4b717c5de5139b732e16ea9eca2654947ecf17e919334a6dd039c5b60e059",
            "versions": [
                "5.4.2"
            ],
            "import_time": "2026-07-15T16:34:36.342742205Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010684"
        }
    ]
}
References
Credits

Affected packages

npm / react-hook-scripts

Package

Affected ranges

Affected versions

5.*
5.4.2

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "react-hook-scripts-5.4.2.tgz",
            "hashes": {
                "sha1": "19b2b7c619e2e677568d190167a2a650e1f50af6",
                "sha512_sri": "sha512-hZyPz/YpF/r0n/r39F44mgR+IQAgy+P+bSACdlniifnmG1zcIy2c8gNa5utoxow6GixPUUejbzQNFe0WMo1G4A=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "ebc1616546fa31a36a67e4eef30f10027165e3133759e971f48e42902fca568e5f24e8",
            "sha256": "bbf2e5eb654fae0b706618a4172fda87c34834fb2bfeb503bb5a262dd8d3b0b8",
            "path": "index.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-hook-scripts/MAL-2026-10684.json"