VDB
KO

MAL-2026-10684

Malicious code in react-hook-scripts (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (52d4b717c5de5139b732e16ea9eca2654947ecf17e919334a6dd039c5b60e059) The package's default export `getPlugin` fetches a JSON document from the hardcoded endpoint https://svganchordev.net/icons/108 and passes the returned `credits` field to `new Function('require','module','exports',...,'Promise', data.credits)`, executing the server-supplied string as JavaScript with full Node.js globals (require, process, Buffer) available. The remote URL is assembled by concatenating protocol/separator/domain/path fragments and the request is framed with an `bearrtoken: "logo"` header and an icon-retrieval path, disguising a remote code loader as an SVG helper despite the package's advertised role as a React/SVG utility. Declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3, node-machine-id) are consistent with a credential and host-fingerprint stealer stage delivered by the fetched payload. Any caller of the advertised API triggers execution of arbitrary attacker-controlled code on the installer's host, and the payload can be changed server-side at any time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-hook-scripts

No fixed version published yet for react-hook-scripts (npm). Pin to a known-safe version or switch to an alternative.

References