VDB
KO

MAL-2026-10605

Malicious code in @radivi-ui/react-dialog (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b5e92ae03eb6adb090fb832665431984cccef31039bb920e3850535f4defe610) @radivi-ui/react-dialog is a typosquat of @radix-ui/react-dialog whose main entry (index.js) is a self-executing IIFE that runs `whoami` and `hostname` via `child_process.execSync` when the package is loaded via require/import. The command outputs are hex-encoded and exfiltrated to the hardcoded Burp Collaborator subdomain `vih2vewj1xxwlsd8dkgjqugtyk4bs1gq.oastify.com` via both DNS resolution (dns.resolve of a crafted subdomain) and HTTP GET (http.get). The behavior fires unconditionally on module load with no user opt-in, no CLI gate, and no relation to any dialog/UI functionality the package name implies.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @radivi-ui/react-dialog

No fixed version published yet for @radivi-ui/react-dialog (npm). Pin to a known-safe version or switch to an alternative.

References