MAL-2026-4359
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@agora-sdk/react-js/MAL-2026-4359.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4359
- Withdrawn
- 2026-05-26T19:42:47Z
- Published
- 2026-05-25T08:03:02Z
- Modified
- 2026-05-27T00:32:01.030859459Z
- Summary
- Malicious code in @agora-sdk/react-js (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9febb9d8dda2eea07ef909b9713ca6531c4a5b51a75fd730a312bec8d8a11135)
Package is published under the '@agora-sdk' scope, strongly associated with Agora.io's real-time-communications SDKs, but its actual contents are a fork of @replyke/react-js (exports ReplykeProvider, useReplykeDispatch, selectAccessToken; storage keys 'replyke-accounts:'). A header comment in dist/cjs/hooks/useOAuthSignIn.js explicitly states the original Replyke OAuth base URL was 'repointed... to a self-hosted, Replyke-compatible Agora backend' by a third-party author. useOAuthSignIn POSTs
${getApiBaseUrl()}/${projectId}/oauth/(authorize|link)with provider/redirect data and unconditionally redirects the user to the response'sauthorizationUrl; the base URL is supplied by sibling package @agora-sdk/core (same publisher), so the entire OAuth initiation and token-issuance path is controlled by the package author rather than by Replyke or by the consuming application. Access and refresh tokens parsed from the post-OAuth URL fragment are persisted under storage keys consumers expect to be Replyke-issued. Net effect on an integrator: end-user OAuth sessions for any application built against this 'Agora SDK' are intermediated by an author-chosen backend, enabling silent token interception and session impersonation. The combination of namespace impersonation of a well-known vendor (Agora.io) plus a covert redirect of an unrelated upstream library's auth endpoint is a deliberate supply-chain deception, not a fork in good faith. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:52:54.64311122Z", "versions": [ "1.0.2" ], "sha256": "1aa4cac1867c97f5be37d67a778eb5bf92f6ef1121eb173d870901428aaad1bc", "source": "amazon-inspector", "modified_time": "2026-05-25T08:03:02Z", "id": "IN-MAL-2026-004595" }, { "import_time": "2026-05-26T05:52:55.044678722Z", "versions": [ "1.0.3" ], "id": "IN-MAL-2026-004598", "sha256": "9febb9d8dda2eea07ef909b9713ca6531c4a5b51a75fd730a312bec8d8a11135", "modified_time": "2026-05-25T08:11:12Z", "source": "amazon-inspector" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @agora-sdk/react-js
Package
- Name
- @agora-sdk/react-js
- View open source insights on deps.dev
- Purl
- pkg:npm/%40agora-sdk%2Freact-js
Database specific
indicators
{
"evidence_files": [
{
"tlsh": "77b1955316a301a15bb385d57b47a817b03b504b3d9ce150754e4b982f0f88e8f27ada",
"sha256": "84d891c093f1955f1fed2b7d154cfec3e503b38708cf9f7f65baa4dffab7671d",
"path": "dist/cjs/hooks/useOAuthSignIn.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-yJJDitOnCzEIdOPToCa1wQxPdji/ZU5PGm3R8UUqWGzC4dn7Ac1mOt8em4FGe4c33mhodD8WbuAR9sny2DVT4w==",
"sha1": "956c037c2d3970c3a4b040fc83bb8c0c78088a27"
},
"filename": "react-js-1.0.2.tgz"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@agora-sdk/react-js/MAL-2026-4359.json"
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]