VDB
KO

MAL-2026-10738

Malicious code in mui-option (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8e1c3ec117eaeedbd4c3f64c2fec97d44e115d400c7e52082b7d6cc28f7c59ec) The sole shipped file index.js is heavily obfuscated with a base64+RC4 string-array decoder that hides all module names, URLs, and method identifiers. On import (main entrypoint), it requires child_process, os, fs, path, crypto and https, issues an https.get to a runtime-decoded URL, splits the response on ':' into an IV and ciphertext, derives a key with crypto.scryptSync, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under os.tmpdir(), and executes that file via child_process.exec. The package has no legitimate advertised functionality, its name resembles the MUI ecosystem, and no other code path exists. Any project that requires mui-option triggers execution of attacker-controlled native code on the installer host. The tarball also ships npm_recovery_codes.txt containing five 64-character hex strings matching the format of npm 2FA recovery codes, suggesting a publishing-account compromise.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / mui-option

No fixed version published yet for mui-option (npm). Pin to a known-safe version or switch to an alternative.

References