MAL-2026-10626
Malicious code in @react-case/option (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c4beffda94b8ea554f153faaf508da7906f78d821d45d2fca7b7b61180740269) The package's main entrypoint (index.js) is heavily obfuscated with a string-array + RC4-style decoder that reconstructs all API names and the target URL at runtime. On module load it requires fs, os, path, crypto, and child_process, performs an HTTP GET against the runtime-reconstructed remote host, splits the response on ':', decrypts the parts with createDecipheriv using a hardcoded key/IV, writes the resulting bytes to a file under os.homedir(), and executes that file via child_process with cwd set to the user's home directory and windowsHide:true. The package ships no README, has an empty description and empty author metadata, and there is no legitimate library functionality — the only effect of requiring it is fetch-decrypt-write-exec of attacker-controlled code on the installer's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @react-case/option (npm). Pin to a known-safe version or switch to an alternative.