MAL-2026-4631

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/opentiny-react/MAL-2026-4631.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4631
Withdrawn
2026-05-26T22:13:04Z
Published
2026-05-25T10:31:12Z
Modified
2026-05-27T00:32:06.805630029Z
Summary
Malicious code in opentiny-react (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (70307cffed06951bdb7b961e7846e3b3e0ba660b75ddca0b4fa11366ab94dc6d)

The package opentiny-react reproduces the source, README, and CHANGELOG of the legitimate @tinymce/tinymce-react integration verbatim under a confusable unscoped name. Its package.json falsifies the author as 'Ephox Corporation DBA Tiny Technologies, Inc.' while the repository points to github.com/mild-blue/opentiny-react, which is not the real Tiny organization (tinymce/tinymce-react). The wrapper itself ships no runtime payload, but package.json declares "opentiny": "6.9.31" as a runtime dependency — a name that mimics tinymce and is pinned to the same 6.9.31 version as this wrapper, consistent with a coordinated impersonation cluster. A real @tinymce/tinymce-react installation pulls tinymce, not opentiny. Installing opentiny-react silently pulls the attacker-controlled opentiny package into the dependency tree where its install-time and import-time code will execute against the installer.

Database specific 
{
    "malicious-packages-origins": [
        {
            "versions": [
                "6.9.31"
            ],
            "modified_time": "2026-05-25T10:31:12Z",
            "sha256": "70307cffed06951bdb7b961e7846e3b3e0ba660b75ddca0b4fa11366ab94dc6d",
            "id": "IN-MAL-2026-004622",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:58.03041246Z"
        }
    ]
}
References
Credits

Affected packages

npm / opentiny-react

Package

Name
opentiny-react
View open source insights on deps.dev
Purl
pkg:npm/opentiny-react

Affected ranges

Affected versions

6.*
6.9.31

Database specific

cwes 
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators 
{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Pope4ceD4EBFVlz8FHwDmBPy7MkJ4Agg3ljCALxO4dBIpp3/H+m3CFBf6vQZw4PH1kMh7tGzosUWiUZmFlKx1A==",
                "sha1": "4fd20762cb62c4590822914994aeabb5ed17e536"
            },
            "filename": "opentiny-react-6.9.31.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "c2510048c8298cb32dca0298aa741b52e43c44031c61fc4c37e243ad4f5d66f627cbae",
            "sha256": "3f178d3fc775b053e8565c1a417431e410746b7758ac305e9e2723d9c2476d11"
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/opentiny-react/MAL-2026-4631.json"